Welcome to a new blog series call “Hackers use This.” This is an attempt at a low maintenance, interview-esque series aimed at security folk. I’ll be inviting all sorts of hackers asking them questions about their preferred software, hardware, etc. Basically what they use to get their jobs done.
This site is almost directly inspired by the author of usesthis.com. Thanks Daniel!
I’ll be posting the 1st article to showcase the type of content hopefully seen here in the future. Here we go:
Senior Security Researcher (Fortify on Demand – an HP Company)
Who are you, and what do you do?
My name is Jason Haddix (jhaddix). I am a Senior Security Researcher at a dynamic/static security testing SaaS. I currently architect and develop solutions and methodologies to address security problems. Before this I was the director of penetration testing and before that I was a penetration tester. I focus on several areas including web application testing, static code analysis, mobile hacking, and anything else that is needed. I’m a former prolific bug bounty addict, current gamer (Destiny and DOTA2 atm), (former-ish) blogger, sometimes CTF player, and family man.
You can find me on twitter ranting, github (hardly coding), several sites blogging, and LinkedIn barely paying attention. I have a “soft CV” here.
What hardware do you use?
I work from home so I have some space in my lab. My primary testing rig is also my gaming rig. It’s a custom built PC running on an Intel Core i7 870. It has 16GB of RAM, dual AMD Radeon R9 290
graphics cards, a 300GB SSD for the OS, and four 1TB storage drives. I have 5 24 inch diplays on this rig, 4 coming from the graphics cards and one via USB extender. I use a Razer Naga
for mouse and a Razer Black Widow
My secondary rig is a HP z600 fully upgraded (Dual Xeon’s, 32GB RAM, SSD, ++). This box runs all my practice virtual machines in my lab.
My laptop is a newgen Macbook Pro
with the Nvidia graphics card, making it able to handle my gaming addiction as well.
My mobile lab includes an iPad 3rd generation, Galaxy Nexus, an iPhone 5, all jailbroken/rooted for mobile testing.
My home network is handled by a prosumer wireless router (maker and firmware omitted) with dual wireless networks and an attached NAS of 1TB.
My office also houses a generic 32″ LCD TV connected to my PS4. I use a XIM4 converter
to enable a mouse and keyboard on the PS4. It makes head shots easy.
What does your testing network or lab look like?
I have a few “labs”. One is simply a guest wireless network with several severs that are vulnerable to different exploits. I peruse the CTF and vulnerable-software-for-leaning
scene and stand them up here. This is mostly for my hacker friends who visit and myself to keep sharp.
All my mobile lab is connected to my main PC where I use the various SDK’s and shell into the devices. I also use the Mac for Xcode as well.
And what about tools and software?
For web security testing:
On iOS I prepare my environments with all the normal *nix tools (see here
). We use custom made analysis tools written in a mash-up of Bash, Ruby, and Python as well. I do keep the device armed with several of the stand alone tools mentioned in the OWASP iOS Application Testing Cheatsheet
as well. For Android (which I do less of these days) I have the SDK set up and have our custom mobile testing framework installed (think Metasploit for mobile). We call it Mobius. I really like Hopper Dissembler
I’m pretty old-school, I just use Pandora
for music. If I’m on my main rig I sometimes use Chrome Remote Desktop
to get into my Mac to use iMessage
. If I’m in a world obsessed with texting I’d rather use a keyboard as an input device. I use Skype
for Chat with hacker friends (but long live IRC). I use Logitech G930
‘s for my wireless headset which seems to give the best range for a wireless set I could find. I do most of my coding in Sublime Text
(although I’m slowly learning VIM finally).
What is your dream setup?
I could really use a monitor stand/arm that could accommodate my monitors but didn’t break the bank. That or I would want a few Apple Thunderbolt
I reserve the right to update this self interview with new developments!