RememBear Password Manager

A few weeks ago I received an email offering to let me try the premium variant of the RememBear password manager for a year for free. I assume that I received this since I currently have an active TunnelBear subscription that I use for my VPN. I didn’t bother looking into things too closely, but my understanding is that you can normally use RememBear for free, but syncing your passwords between multiple devices requires a premium subscription… meaning that in 2020 when people have a phone, a tablet, and at least one computer, a premium subscription is basically a requirement. I figured that I may as well give it a shot in order to see if it could possibly tide me over until Dropbox Passwords is a bit more mature; a year of free service seems like a good bit of time for the Dropbox team to improve upon their product.

The RememBear apps for macOS, iOS, and iPadOS are all very slick. They feature the same cute, cartoon bear as TunnelBear. If I type in my master password on macOS, the bear will even move its head to follow along as I type. That being said, typing in my master password happens infrequently since the apps on all 3 platforms work really well with Touch ID and Face ID.

The apps on all 3 platforms also do well with auto-filling passwords for me, including with the browser extension for Safari on macOS. Likewise, the iPadOS app is, mercifully, an iPad application rather than the expanded iOS app. I did run into a few random bugs on macOS where the application would be blank after unlocking it, showing as if I didn’t have any logins stored. I saw another issue where my logins were all listed, but using the search feature wouldn’t return any results even if there were matches. In both cases, closing out of the application and re-opening it fixed the problem, and I only encountered each bug once.

Adding new devices or recovering your account is streamlined with a QR code mechanism that leverages another device which already has RememBear configured on it. This makes the setup quick and easy, though it remains unclear what recourse there is if the master password itself is lost and no other devices are configured. They don’t give you anything like the secret word list for Dropbox Passwords or the secret key from 1Password.

One of the nice benefits to RememBear over the immaturity of Dropbox Passwords is that it does offer an option for creating and syncing secure notes. I frequently use these for things like saving WiFi pre-shared keys. Unfortunately, I’ve had to start using these for saving API keys, too, because RememBear doesn’t offer the option to add multiple credential fields for each login. I can also store them, much as I did with Dropbox Passwords, in the provided notes section for each login, though it does make copying and pasting the keys a bit more annoying than in something like 1Password or Bitwarden which simply give you the option to add multiple credential fields.

The biggest issue with Dropbox Passwords, though, is unfortunately shared with RememBear: there is no web-only option. Installing the browser extension for Firefox, for example, will not work on my Manjaro Linux laptops because the desktop client is still expected and there is no Linux application. This was really surprising to me since one of the reasons I initially started using TunnelBear as my VPN service was due to the fact that they offered a standalone browser extension that I could use back when I had Chromebooks which couldn’t install any type of full-fledged VPN client. Given that RememBear has been around for at least a few years and is by no means a new product, I did a little bit of digging to see if there were any plans to support Linux or Chrome OS (while I no longer use Chromebooks because Google is pretty gross, Chrome OS support would indicate a standalone browser extension.) The latest I could find was a comment from May of 2019 on the Chrome extension which simply confirmed Linux and Chrome OS weren’t supported.

With its slick, cute, and bear-laden UI, RememBear is probably one of the nicest-looking and most user-friendly password managers around. For the overwhelming majority of people, it also likely ticks all of the boxes they would care about as far as features are concerned. Any Linux users out there, though, will be disappointed with the complete inability to use it with their operating system of choice. Here’s to hoping for web support or a standalone browser extension at some point in the future, but for the time being Linux aficionados are better off sticking with something like 1Password or Bitwarden.

Keychron K2 V2

I recently ran into a problem with my keyboard at home, a Logitech K350, AKA a Logitech Wave; the O key stopped reliably working. Sometimes it would work fine, sometimes it would work only when pressed with an excessive amount of force no touch-typist could reliably muster (at which point the key would clank down awkwardly), and sometimes it just wouldn’t work at all. Unsurprisingly, the letter O is one that I use with a good bit of regularly, so this presented a problem. I decided to go ahead and order a new keyboard and started sizing up my options. I didn’t do much research, though, before Craft Brew Geek recommended the Keychron K2 V2. He hadn’t used one but had seen positive feedback on it from some highly respected people (MKBHD, anyone?), and I think he wanted someone he knew to try it out before he decided if he should get one. I was happy to oblige after doing a little research of my own and seeing almost exclusively positive feedback.

The first thing worth noting is that this is Version 2. That’s important because you can find the first version floating around on the cheap. It’s important to not mix them up, though; the initial offering of the K2 was fraught with problems that V2 tackles nicely. V2 comes in a few different variants based on the lighting and body style that you want, along with how much you want to pay. I went for the variant with RGB lighting (cool but not that important) and an aluminum frame (extremely important.) I had read online that the keyboard sans frame was light to a detriment without enough weight to properly hold it down on the desk. I did pay more for the frame, but with the build and the features, this is still relatively cheap in the world of mechanical keyboards.

The K2 is a TKL (tenkeyless) keyboard, meaning that it doesn’t have a number pad. Unlike many other TKL models, though, it has 84 keys because it still features dedicated arrow keys and dedicated Home, End, Page Up, and Page Down keys. Memorizing another function layer for keyboards that don’t feature dedicated keys like this isn’t the end of the world, but I view having them as a significant quality of life bonus.

The bigger quality of life bonus, though, falls to the keycaps. The K2 features macOS-based keycaps. It comes with replacement keycaps for Windows in case you use an that operating system and need to swap Option for Windows and Command for Alt. This is pretty common among mechanical keyboards, though it’s worth mentioning that the K2 has a dedicated physical toggle to control if it’s operating in macOS or Windows mode; most keyboards use a software function for that. The bigger difference, though, is in the function row. Along with having the standard F1 – F12 markings, the keycaps also show the corresponding macOS function. As a macOS user, I can’t stress how helpful it is to have the keycaps appropriately marked so that I know which key is going to turn up my volume and which one will launch Exposé, for example. As another quality of life bonus, the K2 also features a dedicated screenshot key that’s the equivalent of hitting Command + Shift + 4 on macOS. That’s extremely cool in my opinion.

On top of all of this, Keychron also provides orange keycaps that you can opt to use on Escape and on the key which controls the backlighting. I thought they looked snazzy and decided to use them, though you can swap to more standard keys if you wish. I was also a pleasant surprised that a wire keycap puller was included rather than one of the cheaper plastic ones that’s all but guaranteed to scratch up your keycaps. While there are plenty of dedicated keys, there’s even more functionality of the K2 tucked behind key combinations in conjunction with the Function key. The included instruction booklet clearly highlights all of these, and it was a matter of minutes to get everything configured the way I wanted it.

The lighting in my photo isn’t great, but rest assured that you can eschew RGB in favor of locking the lights in to a nice shade of pink.

I’m the type of person who rarely uses any type of adjustable riser on my keyboards, and this was one of the biggest flaws with the original take on the K2; it was almost completely flat. V2 of the K2 has a nice, gentle slope that’s pretty much exactly where I want it to be. For those who want more of an angle, there are 2 sets of adjustable feet on the bottom. The official website only calls out the difference of 9 degrees, which has to be for the more drastic of the pairs. I’d guess the other is 4 degrees, but I wasn’t about to dig up a protractor to find out. The default slope makes for a very nice typing experience for me, so I haven’t even worried about the feet beyond confirming that they exist.

Typing on the K2 is an overall pleasant experience with one minor issue I’ll touch on later. Keychron offers three choices of switch: Gateron Blues, Browns, and Reds. This was my only real hesitance in deciding to buy the keyboard since I’ve always been a stickler for Cherry switches. I opted for the Gateron Browns even though I would prefer Blues simply because I’m using this keyboard for work, and I don’t need my typing to be any louder than it already is while I’m thundering out 120 WPM on calls. While the Gateron Browns don’t feel quite as nice as Cherry Browns in my opinion, they’re really close. Both Cherry and Gateron Browns even actuate at the same 55 grams. I feel good that my concern over the switches wasn’t warranted.

The K2 can connect to devices either via Bluetooth or USB-C. I’ll likely never use it via Bluetooth if my Plum Nano serves as any indication, so USB-C will be my go-to method. This is where one of the two issues I have with the K2 V2 comes into play. The USB-C port is on the left side of the keyboard rather than the back, which you can see in the top image. The provided USB-C cable accounts for this by connecting at a right-angle so that it can immediately be directed behind the board, and this seems to work fine… as long as I have that cable. If I’m ever forced to use a different, more standard cable, that’s going to make for a janky setup.

The other issue I have with the K2 V2 I hesitate to even really call an “issue”; it’s more something I need to adjust to a little bit as a touch-typist. The right Shift key is a little bit shorter than it would be on a standard ANSI QWERTY keyboard. This is done to allow for the dedicated arrow keys. I would say that 98% of the time (yes, I’m completely making up this number), it’s not an issue. The other 2% of the time, I accidentally extend my pinky just a bit too far and hit the up arrow or awkwardly catch the edge of the Shift key. It’s not a huge ordeal, and as someone who has periodically dealt with using ISO keyboards before I know I’ll adjust quickly; it feels worth mentioning, though. It’s also good practice for me since my Starlabs Lite Mark III that’s currently sitting in customs in the UK has a much shorter right Shift key for the exact same reason.

On the whole, I’ve been extremely pleased with the K2 V2 so far. I’ve used it for a little over a week, generally spending 9 – 14 hours a day on it between work, training, and personal projects. It’s a treat to type on, the functionality is nice without being overkill, and I think the size really hits the sweet spot between not taking over my desk and not forcing me to re-adjust it every 5 lines of code because it’s constantly moving; the aluminum frame that I opted for undoubtedly helps it in that regard. I really do think that for $90 USD you could do significantly worse, and the K2 V2 has features and a build quality I’d be expecting from a mechanical keyboard in the $120 – $150 USD price range. I think this is a great keyboard for anyone, but especially if you’re a macOS user in the market for a mechanical keyboard, the Keychron K2 V2 would be a smart place to start.

Apple Music: Back in the Saddle

For anyone who listens to the Same Shade of Difference podcast, you may have heard a brief discussion between Mark and I about how I had switched from Apple Music to Amazon Music. I’ve previously been a fan of Spotify, though I became increasingly irritated with the focus they started giving podcasts rather than music. I know it’s weird coming from someone who has spent the past couple of years creating podcasts, but I don’t listen to them. Additionally, I don’t really want them being advertised to me when I’m trying to look for music. When I swapped to an iPhone about a year ago, I decided to try out Apple Music since I could get a few months of it for free. After my free 3 months, I decided to stick with it. Recently, though, I swapped away from it and decided to give Amazon Music a shake. After about a month and a half, though, I quickly abandoned ship back to Apple Music.

First, let’s start with why I left Apple Music in the first place. After all, I use a MacBook Pro, an iPhone, and an iPad. Shouldn’t Apple Music be my best choice? The main issue is that the Apple Music application on macOS is, to be blunt, a dumpster fire. The application has a plethora of issues when it comes to responsiveness and playback. “Did I accidentally miss clicking on that button or is the application just being super slow?” is a question I find myself asking on the regular. The biggest issue, though, is when it just randomly decides to either 1.) not load or 2.) skip every song as though playback is unavailable. It’s not at all uncommon, for example, for me to click the Browse option from the menu only to be presented with a completely blank UI. No buttons, no albums, no genres. All I can do is quit the application, re-launch it, and hope for the best. In other instances, Apple Music will rapid-fire skip through tracks as though they’re unavailable. It’ll select a track from whatever album or playlist I’m trying to listen to, pause for a second or two, immediately skip to the next track, and just repeat this endlessly. Searching online shows plenty of people experiencing the same issues. Usually some secret handshake combination of signing out and back in, de-authorizing and re-authorizing the device, and switching networks (yes, really) will sometimes take care of the problem. It’s frustrating to the extreme.

With that being said, what would make someone switch back? First, let’s talk about what’s good about Amazon Music. The application on both macOS and iOS/iPadOS is rock-solid. I didn’t experience any errors, playback problems, bugs, etc. Beyond that, though, it was just an incredibly lackluster experience; while there wasn’t anything I’d qualify as “bad”, there also wasn’t anything I’d qualify as “good”. To start off, the application regularly would pester me about doing a free trial for their Premium offering that allows you to stream music at a higher bit-rate. It would offer 3 months of that, after which time it would automatically swap me from paying the standard $10 USD a month that everyone charges for their individual plan to $15 a month. Hard pass.

While that was irritating, the bigger issue was the lack of personalized content. Apple Music and Spotify both offer a handful of customized playlists each week showcasing music that you like, music to fit different moods, etc. Amazon Music gives you one; you get a discovery playlist, and it doesn’t even necessarily focus on new releases. That was a major letdown for me.

I had initially thought that I would just step up the manual work to discover music on my own, but this is where Amazon Music really fell apart. As anyone who knows me is likely already aware, I listen mostly to indie music. Amazon Music doesn’t even delineate indie into its own genre; to see indie music, I had to browse through the “Alternative” section. This means that when I’m trying to check out new releases for discovery, I’m shifting through garbage like Coldplay while trying to reach gold like Falcon Jane. Music discovery in Amazon Music quickly became less enjoyable and more frustrating. To make matters worse, shortly before I switched away from it, the macOS application received a complete overhaul that did away with the normal ability to browse through different genres and playlists. Everything suddenly revolved around searching, and while it worked to get me to the same content as before, it was ultimately a very clunky and unintuitive experience.

The nail in the coffin, though, was that Amazon Music doesn’t bother to get the rights to a not insignificant amount of international music. For example, when Lee Suhyun’s track ALIEN released, I was surprised to see that it wasn’t available on Amazon Music. The same thing happened with Reol’s track Q?. At this point, I realized that I just really needed to switch to a different service.

So now the last big question: why did I switch back to Apple Music instead of going back to something like Spotify? There were several reasons. One of the big ones is that I’ve been interested in subscribing to Apple One. I was wanting to bump my iCloud storage space up a little bit, and if I was using Apple Music then it seemed like the easy decision that would also get me access to Apple TV+ and Apple Arcade. Additionally, I’ve been interested in the Apple HomePod for a while but never wanted to spend the $300 USD on one; when they started dropping to $200 USD over the past few months, I figured that had to be due to something new and exciting being on the horizon. Sure enough, the HomePod Mini recently released, and I decided to pull the trigger on one. While Apple Music does work with Amazon Echo devices, of which I have several, I figure the HomePod Mini will offer a much more elegant experience. The final reason is pure laziness; I didn’t want to bother with trying to update all of my playlists yet again. When I moved from Spotify to Apple Music, I spent more time than I care to admit moving all of my playlists over by hand. When I decided to try out Amazon Music, I went through the same process again. I didn’t relish the thought of moving nearly a year’s worth of playlist updates from Amazon Music to Spotify; if I stuck with Apple Music I’d only have to worry about catching up my playlists on the last month of content… a month that was a bit of a discovery drought due to the issues already mentioned.

After switching back, I’ve already discovered significantly more music than I had while I was using Amazon. I’ve also run into a couple of issues with the macOS application for Apple Music, but I’m trying to keep my hopes up that things will be better with it on the new Macs running on the M1 chip. In the meantime, I’ve updated the links on both my About page and to point to my Apple Music profile; feel free to scope out my playlists!

Books: Attack Surface

Attack Surface is the latest novel by amazing author and journalist Cory Doctorow. Cory is one of those people with whom almost anyone interested in digital rights and online privacy is likely at least somewhat familiar. While I followed Cory on Twitter (back when I still used Twitter) from my early days on the platform and regularly read his content on Boing Boing, I never read any of his books until Craft Brew Geek convinced me (not that it took a lot of convincing) to read Little Brother and Homeland. The two are young adult novels in a series that ostensibly address the fallacy of “I don’t need to worry about my privacy if I have nothing to hide.” While categorized as science fiction, the books are set in a very near future, featuring invasive technologies that are either 1.) actually present today or 2.) aren’t that far off. The novels should essentially be required reading at this point for anyone who uses technology (i.e. basically everyone.) They were the topic of Episode 15 of the Unusually Pink Podcast, while Mark and I more recently discussed them in the Same Shade of Difference.

Attack Surface is the 3rd novel in the series. Set a few years after the events of Homeland, it switches things up a little bit by focusing on one of the supporting characters from the first two novels, Masha. In the first two novels, Masha has been on the inside of extremely invasive government surveillance programs and also has had some whistleblower run-ins. Attack Surface zeroes in on her perspective.

In a vacuum, I feel like Attack Surface is an extremely good book, and I would highly recommend that everyone give it a read. It provides a very real and very terrifying look into the type of surveillance that’s possible in the world of state-sponsored threat actors. Operational security guidelines are almost always prefaced with the idea that not everyone has the same opsec requirements. Attack Surface showcases the absolute worst case scenario of state-sponsored ATPs and what they’re capable of doing in terms that aren’t very far-fetched. I also enjoyed the change of Masha becoming the main character. In my opinion, at least for the first two thirds of the novel, she provided a nice dose of realistic pragmatism that contrasts sharply with the almost wistful naïveté provided by Marcus in the first two books. That being said, I’m a bit more critical of the writing in Attack Surface than I was with Little Brother and Homeland for reasons that I’ll get into a little later on. Likewise, I feel like the novel had an excellent opportunity to really set itself apart from the first two books in the series, but in the end it kind of fizzled out into more of the same.

As I mentioned previously, Little Brother and Homeland are categorized as young adult novels; the publisher, Tor, published them under their Tor Teen line. Attack Surface is published under Tor, and from the start of the novel it’s apparent why. I haven’t dug into things to see if this was the intent, but it certainly feels like the novel is aimed at a slightly older audience. Masha regularly drinks to excess and enjoys using colorful language; maybe that’s why I enjoyed her so much as a protagonist. The subject matter for the book often ventures into areas untouched by the first two novels; Masha regularly deals with sexual harassment, the violence depicted is frequently more severe than before, and a rape is described with enough detail to make anyone with a moral compass feel uncomfortable and angry at the same time. Personally, I feel like this setup works well, if indeed that was the goal. Readers who may have actually been in the “young adult” range when the first two books came out would likely now be old enough to be looking for something with a bit more substance to it.

However, I feel like this comes with an additional price tag for an author when it comes to telling the story, and I didn’t feel as though Attack Surface was really up to the task. The story is told alternating between Masha operating at the present and Masha reliving moments of her past. It’s a nice technique that slowly bridges the gap between what happened behind the scenes in material not covered in the first two novels and brings Masha up to speed in the present. Only… it doesn’t. After covering how Masha originally got started with the DHS and how she moved into the private sector with security contracting for the government, it covers how she eventually came under scrutiny for possessing the classified intelligence she had that she gave to Marcus in Homeland. After the resolution of Homeland, though, there’s just a massive gap in time. At the start of Attack Surface, Masha is working for yet another security contract firm… after she was literally kidnapped and imprisoned in Costa Rica by the last one? What on Earth has to happen to make someone decide that’s a good decision? While it may be easy to think sweeping those details under the rug isn’t a big deal, I personally think it’s extremely relevant when she spends such a significant amount of time in the present debating her lifestyle and what her next security job should be even while she grapples with the knowledge that the work she’s been doing doesn’t make the world a better place. She has direct, firsthand knowledge of the seedy inner workings, rife with illegality and no one questioning if because we can means we should. This seems like a hole in the plot extremely relevant to Masha’s present state of mind.

Likewise, the ending just felt haphazard to me. Masha ends up moving back to Berlin to do… what? No one knows. She laments multiple times throughout the novel that she has a lot of money at her disposal but not that much money. Being able to continue earning money is a common quandary for her when she’s trying to figure out her next move, and she ends up giving up many opportunities for that during the climax of the story. Are things good for her? Did she end up making an even bigger sacrifice than she had conceived in the moment? I feel like the latter could have added some gravitas and made the climax less campy.

Speaking of the novel’s climax, as mentioned before I couldn’t help but feel disappointed that it just turned out to essentially be the same as the first two novels. The book started out very strong and very different from the rest of the series, with Masha doing contract work in a fictional eastern European country simmering on the brink of revolution against an authoritarian government. Masha is playing both sides, installing intrusive Internet trackers by day and helping protesters avoid them by night. Shit hits the fan almost immediately, which leads to Masha being terminated from her position. She ends up going back to the United States, and by the halfway point of the novel Marcus and Ange are once again prominent characters. The story settles into a bit of a familiar routine, and suddenly it’s up to the same handful of white kids to save the Bay Area… for the third time. I know I’m tainted a bit by my view as a jaded millennial, but that was why I liked Masha’s pragmatic and frankly realistic outlook so much. While I understand that part of the novel is exploring her personal growth while she changes her viewpoint, I saw the erosion of that pragmatism to the same flavor of “everything’s going to work out if we stick together and do the right thing!” viewpoint coming straight from Saturday morning cartoons in the 90’s and spouted by Marcus as disappointing. The unrealistic kumbaya session after the final protest could have been tempered a bit if we had more details of Masha’s aftermath, but as I mentioned that information wasn’t shared.

If anyone is still reading this, they’re likely confused as to why I said at the start of the post that Attack Surface is an extremely good book since all I’ve done over the past 5 paragraphs is rip into it. I really do think it was a good book, but it’s a good book in the way that Little Brother and Homeland were already good books. I don’t feel like Attack Surface did anything to differentiate itself; it’s basically telling the same story for the third time, and that’s why I’m so critical of it. I feel as though the first half of the novel set the plot up to tell a fresh story with a fresh take and fresh consequences to a more mature audience. Instead, it played things safe by going back to the same story we’ve heard twice before. While that’s a strong and important story, don’t get me wrong, Attack Surface could have been so much more.

Even More Storage: Yearly Bonuses For Paid ProtonMail Accounts

It’s no secret around this blog or for anyone who listened to the Unusually Pink Podcast that I’m a fan of ProtonMail. While it’s unfortunate that privacy in the world of computing often comes with an associated monetary cost, the simple fact of the matter is that if you aren’t paying for your email account then chances are the provider is making money off of your data that happens to be stored in it. Google, for example, is happy to give you free email so that they can scrape your data out of it and make a comprehensive profile about your life for advertising purposes. ProtonMail takes a firm stance against this practice, and they actually do permit users to create completely free email accounts that are never scraped or monitored; their setup actually ensures that they couldn’t access the plaintext content of your email even if they wanted to. Doing this is only possible, though, because some users opt to pay for additional features and thus subsidize the free accounts. I happen to be one of those people who has been paying for a few years now both to help support the ProtonMail mission and to get access to a custom domain in my account.

ProtonMail occasionally likes to give special perks to their paid customers as a token of appreciation; I’ve written before about how they’ve given away a bonus 5 GB of storage for paid accounts. They’ve done the same thing another time since that post, giving me 10 GB of bonus storage on top of the 5 GB that comes with my paid plan. While I said at the time of my original post that I didn’t really need the storage at the moment but was happy to have the extra bits just in case, ProtonMail has subsequently stated that the storage can be shared with the upcoming ProtonDrive secure cloud storage offering once that’s available.

As another token of gratitude, ProtonMail has announced regular storage increases for paid accounts; each year that a paid account remains active, it receives 1 GB of bonus storage on the anniversary. Even better, this is retroactive. Since I’ve had a paid account for 3 years, when the initiative was implemented I immediately received 3 GB of bonus storage. I’ll get a 4th GB on my yearly anniversary coming up later this month:

The general principle is straightforward:

– When you sign up for any paid Proton plan, you are automatically eligible for Storage Bonuses.

– On the one year anniversary of your paid subscription, you will receive 1 GB of additional storage for free that can be used with your ProtonMail inbox. (In the future, your storage will be shared between your ProtonMail inbox and your ProtonDrive vault.)

– This will happen every year, and your Storage Bonuses will accumulate as long as you have a paid plan with Proton without interruption.

While the current bonus value is 1 GB right now, they say this will increase in the future, though it’s unclear if the increase is also retroactive or if it will only apply to new bonus accumulations going forward:

The current Storage Bonus is 1 GB per year, but this will be increased in the future.

The full details are available, along with a FAQ, from their support article. The tl;dr is basically that you get bonus storage every year on the anniversary of your paid account as long as you remain with a paid subscription on any Proton product. This means that if you pay for ProtonVPN but not ProtonMail, you’re still eligible for the bonus storage. That eligibility and current storage accumulation continues to apply even if you stop paying for ProtonVPN and start paying for ProtonMail (or ProtonDrive when it comes out) as long as the two periods overlap. Having a lapse in paid subscription will reset the accumulation of bonus storage.

All told, I think it’s another nice perk from ProtonMail, and with the ability to leverage the storage for ProtonDrive, a product that I’m highly looking forward to, the more storage that I can get my hands on the better.

Books: Hands On Hacking

While I’ve been stuck at home as the global coronavirus pandemic rages on (currently on day 241 of quarantine, for those who listen to the Same Shade Of Difference), I’ve been trying to make the most of my time in captivity with lots of reading, training, and personal projects to learn as much new stuff as I can. One of the items that came on to my radar a few months ago was a new infosec book titled Hands On Hacking from Wiley. Written in part by Hacker Fantastic, who I’ve followed on Twitter for quite a few years across my various accounts, I figured it would be a good refresher for some of the hacking concepts I’ve used before and a primer for newer tooling that I’m not as familiar with.

As you can see from the book’s cover, the idea is to teach “purple teaming”, which is the idea of doing away with the silos for the “red team” that tries to breach systems and the “blue team” that tries to defend them. The book covers the full gamut of hacking, starting with open source information gathering to get as much data as you can about your target before actively engaging with any of their systems all the way through compromising web applications and moving laterally through internal systems.

All throughout, the book uses purple teaming as a focus; it very clearly outlines that taking part in any of the activities covered without the express consent of the owners of the system can carry severe legal penalties. The goal is to assist you with either a career as a penetration tester or to give you the tools and knowledge to be able to pen test and secure your own systems that you manage. You will not read the book and immediately find yourself living the life of a Mr. Robot character.

The book, in my opinion, is very well written. While I was familiar with most of the concepts covered, I think it was written in a way that makes the material approachable even for readers without much prior knowledge in the world of infosec. That being said, while there is a good bit of hand-holding in the introduction to Linux, I think there are some basic, assumed competencies in the world of computing. I don’t think that’s a fault; you really have to draw the line somewhere, and I think the authors did a fantastic job of making everything as approachable as possible.

The book comes with a complete lab environment with virtual machines pre-configured to be exploitable in a fashion to demonstrate the concepts covered in each chapter of the book, giving readers the option to either read the book purely for information or to work through the labs and practice executing the material discussed. In my mind it’s essentially like a self-guided, DIY version of something like the excellent Foundstone Ultimate Hacking class that I was fortunate enough to take a few years ago.

If you’re already a skilled hacker, is the book going to enlighten you to new, next-level exploits? Definitely not. But if you’re a systems administrator who is responsible for the managing servers at your company, a SaaS admin responsible for identities, or a developer responsible for creating applications exposed to the Internet at large, it’ll give you a very solid baseline for making sure that your own systems aren’t vulnerable to the most egregious of issues. I personally found the open source intelligence gathering chapter very useful; it covered techniques and services for determining the amount of information about your company and specific details regarding the employees that’s available to literally anyone with an interest in finding out more. It’s allowed me to work through setting up some scripts to automatically check on this and notify me when perhaps more information is leaking out than it should due to things like 3rd party breaches where users may have signed up with a company email address.

Similarly, I think the book is also a good read for leadership-level people who may not need to know the technical details of how hacks are accomplished but need to be mindful of what’s possible and what their employees should be looking for when developing and administering systems. These readers likely don’t need to go through things like achieving the exploits themselves in the lab (though obviously it’s cool if they want to), but the book can serve as a nice reference for what the company’s employees should be looking for when they decide to roll out a new service or application.