Rob Chahin
Now with more Bleeding Edge CSS - update your browser (probably).
Oct 31, 2015: Spooky Halloween Update: I should really move some projects from Bitbucket to Github. I have 7 projects up there excluding my dotfiles, and a couple of them may even be useful to some people. If nobody has coined the phrase "Github Anxiety" yet, I call dibs.
Aug 14, 2015: Have been having fun speaking at some more conferences. Also been having fun finally turning this website into a git repo and pushing changes online via the AWS CLI client, both things I'd meant to do for a while. Since this update has no especially interesting content, here's a bonus: probably the worst recruiter e-mail I've ever received. Seriously guys, just acknowledge that you've bothered taking 15 seconds to pull up my website or Twitter feed or something before you e-mail me, and you'll get a response. You're wasting time on your 1000 word recruiter e-mail, and you're wasting my time by making me read it.
May 25, 2015: Just looked again to see if 1Password had a native Linux client, and again the answer is no. However, I did find a recent developer comment suggesting that the browser extension for Chrome CAN talk to 1Password in WINE as long as you disable browser signature verification (Help > Advanced > Verify web browser code signature). Restart the Helper (also under Help), and the extension should let you autofill, albeit a little less safely.
Mar 03, 2015: Looking forward to spending the next few months of my life working through the PWK course / OSCP certification. It seems to be an almost-unanimously well-regarded cert, with an entirely practical final exam. There are too many infosec practicioners who can articulate what you shouldn't do, but can't back it up with concrete examples of why not. My comfort level of pen testing is mostly limited to basic web applications, so this should round that out.
Feb 10, 2015: If you're looking at liquid column website layout, you need to know about the flexbox mode in CSS3. This is easily the best resource I found while I was updating this site.
Feb 09, 2015: As much as I love AdBlock Plus as a user, it is a perennial pain in my ass when trying to keep the icons on this page visible. It's now taken to eating Facebook, Twitter and G+ again.
Feb 07, 2015: I took a whitepaper I was writing on hashing credit card numbers but never finished, updated it and changed the focus to cover cardholder storage in general. Currently having it go through the approval process since it's A Work Paper (and the original was a tad 'critical' of the SSC), so should be releasing that next week. Eyes peeled.
Feb 05, 2015: Secret code for recruiters: any evidence that you took the 5 seconds required to locate my website and/or Twitter account which are both labelled with my very rare name. If you didn't read beyond the first line of my LinkedIn page, I'm not going to acknowledge your e-mail. Sometimes I wonder if I wouldn't be the most successful recruiter in history, because I'd actually say things like "I checked out your GitHub account and saw that [...]", and I just feel like that's more work than 99% of all recruiters do.
Jan 19, 2015: Having fun with syntax highlighting. Not sure of the best way to apply it yet, but you can take a look over here.
Jan 12, 2015: Working on a couple of slide decks - horrible things I've seen in real world networks, live exploit demo for non-offensive types, crypto for normals. Also working on a tool or two, nothing fancy but should be pretty good time savers. Between that and the end-of-year and start-of-year rush (waiting for middle-of-year-rush to land), not much time for grand visions of this website. As always, if you think you're a totally rad risk/compliance type and everyone else is totally gnarly, speak to me about a job. We're totally bodacious.
Sep 14, 2014: A passing note on the state of PCI QSAs, the world's least controversial topic. Like my colleagues in pen testing and appsec research, I have generally had little to no faith in QSAs, or the SSC's ability to certify them. I've read enough reports by QSAs that were just plain wrong. However, having sat through the current versions of both the PA-QSA and the P2PE-QSA training, most of the guys in those classes were actually pretty good. According to the SSC, the exams are getting harder every year now in an attempt to remedy the problem of really dire QSAs - something that has been needed for a while. The PA certification at least is still far too easy, and there's very little crypto understanding required for P2PE, but progress is being made. As should be extremely obvious, these opinions are mine and in no way endorsed or reflective of whoever happens to be signing my paychecks at the moment.
Aug 28, 2014: More of an aide-memoire than anything else, discovered during yet another attempt to seriously migrate to a Linux desktop. IronKey volumes are vfat and by default apply world-writable permissions, which will prevent ssh from using private keys located on one. Despite having to mount the drive with their binary, it will respect an fstab entry forcing the pemissions. For reference / memory, my current entry is:
UUID=30AF-2C0B /media/robchahin/ImationUSB vfat ro,nosuid,nodev,uid=1000,gid=1000,shortname=mixed,dmask=0077,fmask=0177,utf8=1,showexec,flush,uhelper=udisks2
Aug 28, 2014: Until I build some kind of permanent links section, you can find PGP keys for me at the MIT Keyserver, Keybase, or wherever you normally go for keys.
Aug 21, 2014: Finally fixing the dodgy SSL config I've had up here. For the rest of the day there will be expired cert warnings. I am aware of them. Fixed.
Aug 20, 2014: Today I learned that the .googleplus class applied to an anchor will cause AdBlock Plus to hide it. And there was me thinking I was going crazy.
Aug 20, 2014: I wrote a blog/rant about penetration testing as part of the PCI DSS v3.0 requirements, and my employer kindly published it. tl;dr: good pen tests are PCI compliant already. Client defines scope. Pen tester defines method. Method includes exploitation and traversal of network resources.
Aug 20, 2014: I just moved the old page over to oldsite/. I plan to update and very slightly prettify this page in the near future.