Category Archives: Life the universe and everything

Burp a sandstorm

Back when myself and Andy Gill were working together it became a running joke in the office that whenever you open Burp suite Darude’s Sandstorm must blare out. How would you get a shell storm without sandstorm? Back in December I took a moment to make an Extension that does exactly that. Have the code here:

from burp import IBurpExtender
from java.awt import Desktop;
from import URI;

class BurpExtender(IBurpExtender):

	extensionName = "Hacking in Progress"
	def registerExtenderCallbacks(self, callbacks):
		if Desktop.isDesktopSupported() and  Desktop.getDesktop().isSupported(Desktop.Action.BROWSE):

Save this into a “.py” file and import as a python extender within burp.

It serves no useful function unless you want a 10 hour loop of Sandstorm playing in your system default web browser. To be honest, why wouldn’t you?

Awkward first post of 2019 out of the way. Back onto useful things soon.

* Featured image was pulled off Google with “Free for non-commercial use” selected. The Flickr account that originally had it doesn’t exist now so unable to thank the person who took it or seek permission. Whoever took it, well done and hope you are ok with my using it.

Seeking new life, and new opportunities

It dawned on me that the task I had originally set myself when I joined Pentest Ltd (Now Secarma) back in 2015 have been met, delivered and exceeded.

I wanted to create a penetration testing team and provide a new route for graduates in Scotland. Instead of mostly relocating to England for a career I sought to ensure there was a place for people wanting to stay nearer to home.

Three years on the industry up here is in rude health. Now Context, NCC, and Pentest Partners have offices too. Not that I am taking credit for those. It has been glaringly obvious to me that Scottish universities have been hurtling out talent for years that probably would have preferred to remain in Scotland if they could.

What is true is that there are plenty of options for the next generation and that is basically what I wanted to achieve so thanks guys ūüėÄ

Always leave people on a song right? So I resigned with All along the watchtower yesterday:

* Edit. At some point the file upload got lost so restored the post to its former glory.

I wish Secarma all the best in their future endeavours. They are a talented group, and they are kicking on and looking to do exceptional things.

What gets me out of bed in the morning is to help people. Helping customers secure their assets, and helping colleagues to do more personally and professionally. Both of these are vital to me.

I could certainly of continued doing these at Secarma. However, I saw my three year anniversary come and go this month and simply assessed that job I was hired for as being complete.

Now I am seeking new opportunities. My experience:

  • I have found, trained, and managed penetration testing teams for the last 5 years.
  • I am still an active penetration tester with 13 years experience.
  • I am based in Glasgow.
  • I am available from sorta mid November after a bit of self reflection/home renovation.

Rules for contact are:

  • As they say “my DMs are open” on Twitter over @cornerpirate.
  • If you are the owner, MD, technical director or just in a position to make decisions on behalf of your organisation then go right ahead.
  • If you are a recruiter I prefer not to engage. Thanks for thinking of me

Go on then InfoSec community what do you want me to help with?


Exit Interview

I failed upwards into management a few years ago. This means that I effectively opened an office for my employer and was responsible for finding, evaluating, recruiting, onboarding and generally looking after a team in Glasgow. This has been a privilege and for the most part the last two years has been a riot.

We build a pretty tight ship of overlapping skills with enough diversity in our thoughts to make things entertaining. It is to be expected that folks who join the crew set sail themselves to explore new shores someday. That doesn’t make it any easier when you effectively think of them as friends first.

Today is the last day for one of the original deck hands who is leaving for the best of reasons. What I know is that they are properly prepared for whatever is coming both personally and professionally. They will rock it out somewhere else.

I am learning there is a difference between intellectually knowing that there will be staff turnover, and experiencing it first hand a few times. Nobody said management was ever fun.

Reckon I am a bit like a parent waving their kid off to Uni and knowing that it is actually a good thing for them.

We will miss the enthusiasm and abilities day-to-day. But forever I will be up in your life so don’t you worry about that.

Pentesting; Failing Upwards

I was given instructions to start an office. Find candidates, filter through them, and then pick a number of them. A lot of trust and I wholeheartedly thank my employers for giving me the rope to do this.

I have never really seen becoming a manager as a career ambition. I always have, and most likely always will, call this “failing upwards”. Why? Put simply being a Pentester for me is the greatest job on the planet. Any step away from doing that *every*day* must simply be called “failing” right?

Over the years I have assisted many in the industry by offering; advice, training, but most importantly (so I am told) is TIME.

During my decade or so I have seen those I helped go from entirely green to campaign hardened professionals. Thinking back to them being straight out of university¬†and unable¬†to sort out their “multiple simultaneous logins” from their “session hijacking” (more common than you might expect that confusion!). They now are doing exceptional things themselves.

Usually the committed people will get there on their own and it is not necessarily my influence. In some small way I hope they do even one thing better as a result though!

Currently, I still get to do a decent number of testing days which is good. However, I see the time for that coming to an end relatively soon. The in-take for the inaugural year seems set and now we just have to focus on starting them off correctly.

Guess I will have to live vicariously by assisting my new troop during their projects. To support all of this I have been making training and coming up with little speeches in my head.

Today I am really excited to start the newest member of the team off on the route of how to be professional, and get the job done. There are a lot of myths about the industry that seem to build up. Universities seem adept at teaching some things but not in making “consultants”. ¬†Part of the programme will be to sort those out!

The goal is not to make people ready for passing some certification like CREST. It is to make them engaged with their job, confident in doing it, aware of where to get information, and to deliver things that are useful to customers.

Remember these few points:

  • the report is the “product”. Not how amazing your technical acrobatics is.
  • recommendations are what the customer pays for.
  • talk to the customer. Not all of them are the same, some might have a preferred risk system etc.

Take ownership of your deliverables, care about your name being on it, and TALK to the customer. These things will set you up the right way.