Thoughts on the CREST CPSA

I’ve just sat my CPSA in preparation for $newjob.

The CPSA is part of a UK government qualifications track administered by CREST for accrediting ethical security testers and their companies. You can find a fairly barebones syllabus online along with some suggested reading material.

The CPSA changed radically a couple of years back, in that it used to be open book and packaged with a practical component, the CRT. It’s now closed book, separate from the CRT (and indeed, a prerequisite for sitting the CRT) and administered in Pearson test centres in MCQ format. The only other discussion of the CPSA I’ve found is from before this change.

The exam content is under NDA and of course, the question bank will give different content to each candidate, so this discussion isn’t going to give much away. However, although I’ve worked in security for the last five years (and IT in general for twenty) I went into the exam feeling the least confident I’ve ever felt. I’d read the syllabus and most of the reading list and still really had no idea about the content or question style.

So, here’s my advice:

  • Read the syllabus thoroughly. Note that some points aren’t examinable in the CPSA but are for the CRT and vice versa.
  • If you’re actively working in pen testing and have a background in general IT, or better still, have a CISSP or GSEC then you’ll be good with just a bit of general reading up.
  • Read the question and answers thoroughly, obviously!

Good luck!

Data mangling the Piccadilly Line

TfL have been nice enough to release a data set showing how busy trains are – the train loading.

They use a 6 point scale to measure the busy-ness:

Scale Definition Actual measure on train
1 Very quiet zero to all seats taken
2 Quiet 0 to 2 customer per m2
3 Fairly busy 2 to 3 customers per m2
4 Busy 3 to 4 customers per m2
5 Very busy 4 to 5 customers per m2
6 Exceptionally busy > 5 customers per m2

As I live in West London and work in Central London I’m interested in morning eastbound and evening westbound travel.

So, bad luck if you want to get on a train at South Ealing towards Acton Town between 0800 & 0830:

In the evening it’s very busy from central London westwards between 1745 & 1830, although once you get to Gloucester Road you stand more of a chance of getting on:

The numbers seem to suggest that the loading to Rayner’s Lane is the same as Heathrow destined trains; in my experience this isn’t borne out. The data gives a hint towards this in that Acton > Northfields trains are busier for the same time window, but I wonder whether the lower frequency of Uxbridge trains skews this a bit.

Hopefully this gives you an idea of your chances of getting on a train in the morning – I’d love to see this baked into Citymapper.




I’ve encountered a couple of bugs with internet-connected devices recently so I thought I’d document them in case some other poor soul had the same troubles.

Yes, I’m kinda aware I’ve brought a lot of this on myself but it does somewhat show that these things aren’t ready for primetime just yet. I’ve done the “sensible” thing and segregated IoT devices onto their own separate, firewalled VLAN although most vendors aren’t necessarily expecting this arrangement. Many devices do NAT hole punching which seems to work ok, except when there’s UDP traffic or IPv6 thrown into the mix. Explicit port forwarding seems to be on the (thankful) wane.

Nest Protect

I had a really strange experience when my Nest smoke alarms suddenly stopped checking in. They couldn’t jump on the network and even a reset failed with the cryptic error code P007(3.9). Their technical support has actually been surprisingly good but they couldn’t figure it out.

I eventually deduced that Nests will only try the first DNS server handed out to them over DHCP. If that one is broken (but a second/third/fourth is still up so name resolution is working for everyone else!) then they fail with this generic error.

Fix: make sure your primary DNS is working; Nest need to fix the bug in their firmware so they’ll failover gracefully (which you’d assume they’d do for a safety device).

Update 05/03/17: the bug doesn’t seem to have been accepted by Nest still so I guess this isn’t going to get fixed. If a single point of failure in networking for a device that’s supposed to tell you your house is on fire worries you, I guess don’t buy one?

Netatmo Welcome

I had a camera working for ages until one day it suddenly stopped and just showed “disconnected”. A reset similarly failed to get it back online and the setup process choked with generic errors about checking the internet connection etc.

Some hints from a forum led me to find that the camera runs an IPSEC tunnel back to Netatmo over UDP. This tunnel is initiated from Netatmo themselves and my stateful firewall didn’t appreciate unsolicited inbound UDP.

Fix: Permit UDP source ports 500 & 4500 from any public IP to the IP of your camera. Note that this is not port forwarding, just a firewall rule.

(I haven’t been able to pin down exact IP ranges this will come from as Netatmo use a variety of servers and they weren’t forthcoming with help.)

Philips Hue

Again, all was working super until one day geofencing and alarms broke. Trying to connect the bridge to the online account (My Hue) would literally cause the bridge to crash – it would remain on the network but be unresponsive over its mini web browser or even zigbee light switch presses.

Philips technical support haven’t been great and blame it all on home networking despite being given packet captures.

Fix: None so far

Workaround: Connect your Hue bridge into Homekit and use the automation features of Apple TV instead.

Update 05/03/17: this randomly started working again recently. Still no word from Hue support though.

Thoughts on the CISSP

Disclaimer: I’m a member of the SANS Advisory Board. SANS is a competitor certification awarding body to ISC2. None of the examples below are real questions from either exam and shouldn’t be used as revision!

isc2_cissp2I recently clicked over enough time elapsed (after deductions for my GSEC) to be eligible for the CISSP, took the exam, passed and after a wait, awarded it.

There are a reasonable number of comparisons out there between the GSEC & CISSP but none that I found that look at it after CISSP updated the common body of knowledge in 2015.

Broadly the style of the exams is similar in that they’re both computer-based proctored affairs at Pearson testing centres (CISSP used to be pen & paper!). The GSEC is shorter (180 questions against 250, 5 hours not 6) and also has the benefit of allowing one 15 minute stopped clock break at any point. The biggest difference though is that GSEC is open book, CISSP all has to be memorised: this allows the GSEC to test certain things akin to the real world like “which of these nmap switches would you use for x” (ie something you’d either google or use the help pages for). Both exams have scenario type questions: “you’re the security officer for widgets INC, which is the best firewall for a DMZ if you’re worried about DDoSs” and hotspot / drag & drop multiple correct answer types. Both allow questions to be flagged and revisited.

I found the revision for the GSEC adequately prepared me for the content and style of question I faced in the real exam. Mock tests are available, which again were fairly close to the real thing. The CISSP was not so – I read a variety of books (Eric Conrad’s), the SANS bootcamp course and the official ISC2 flashcards app but once in the exam the questions felt wildly different to anything I’d revised for. This isn’t helped by the 25 ‘wildcard’ questions thrown in that don’t count!

I’ve never failed an exam in my life but I honestly found myself at the halfway point thinking I’d failed it. Genuinely that bad. Where I could answer things quickly and confidently I did so; anything I was 90% on I answered but flagged; anything I had no clue on I left blank and flagged. The first pass left me with maybe 50 questions I had to go back and review, although I probably only changed a couple of answers on the second look. An actual advantage was gleaning information from later questions to use in earlier ones.

It’s certainly been said that to pass the CISSP you have to ‘think like a manager’ which I always felt was a bit derogatory but I think it really means to think at a high level, never be afraid to give an answer that refers to outside experts and always prioritise human safety.

The CISSP, like the GSEC, is certainly a mile wide and an inch deep – although I think the GSEC is maybe more like an inch and a half! For both, having experience in the field is certainly a blessing and a curse: you need some outside knowledge but you’re often tempted to add extra information into the questions – “I do change management differently to that at work”.

So which is the better exam? From an experience perspective I’d say the GSEC was the more ‘enjoyable’ and perhaps relevant to the day job. It certainly taught me some new things to take back to the day job too. But the GSEC is not so widely recognised so if you want to pass that automated screening bot on your next job search then maybe the CISSP is the one to go for.

Controlling your lighting with Hue and Perl

It seemed like a ridiculous extravagance to be able to control your home lights with some very expensive Philips Hue lightbulbs but having lived with them for a bit I’m actually quite impressed at how well they work and the range of lighting they can produce.

My next thought obviously then turns to ‘how can I make my lighting do something more useful?’. The Hue iphone app is quite clever (geofences allow you to to turn the lights on as you arrive home for example) and IFTTT integration is also fun but rather limited (only one light at a time, no conditional triggers). Philips have kindly documented the Hue API and it’s pretty straightforward to use – time to break out the Perl.

There is a Perl module on CPAN (Device::Hue) but it’s not all that great so I decided just to poke the Hue bridge directly, and as it’s just JSON, this is pretty easy.

So here are a couple of examples of things I’ve done. I wouldn’t consider them re-usable as they are but are probably a useful starting point if you’re thinking of doing something similar.

  • Before using you’ll need to set up an new user’s API key on the bridge, just follow the Philips instructions to do this.
  • You’ll also need to know the IP/URL to your bridge on your network.
  • As the colour space (‘hue’) is a bit complicated to determine, I’ve tended to configure the lights to how I want them then do a GET of the light state and then reused those values in the script. Probably a nicer way to work this out but for these quick and dirty scripts it’ll be fine.

Lights on at sunset

I trigger this via cron at (say) 3pm daily, it then just checks every five minutes if the sun has set for that particular day yet before exiting. The lights get turned off by Hue app scene timer or by hand.


use Astro::Sunrise;
use common::sense;
use LWP::Simple;
use LWP::UserAgent;

open my $LOG, '>>', '/scripts/lights.log' or die "Unable to open log for writing $!";
$| = 1;

my $sunset = sun_set(0.0,50.0); #long, lat
$sunset =~ s/://g;

my $uplighturl = "http://bridgeurl/api/apikey/lights/1/state";
my $downlighturl = "http://bridgeurl/api/apikey/lights/2/state";

my $uplight = '{"on":true, "sat":220, "bri":26, "hue":34440}';
my $downlight = '{"on":true, "sat":220, "bri":190, "hue":34440}';

while (1) {

my @curtime = localtime();
my $curtime = join '', @curtime[2,1];

if ( $curtime > $sunset ) {

print $LOG "$curtime is after $sunset, turning lights on\n";

else {

print $LOG "$curtime before $sunset, sleeping...\n";
sleep 300;



sub setlight {

my ( $body,$bridgeurl ) = @_;
my $req = HTTP::Request->new( 'PUT', $bridgeurl );
$req->header( 'Content-Type' => 'application/json' );
$req->content( $body );
my $lwp = LWP::UserAgent->new;
my $response = $lwp->request( $req );
print $response->decoded_content;


Tell me what the weather & tube is like before I leave the house

In the mornings I’d quite like to know if I need to take an umbrella, the tube is broken, or both. I have a lamp on the exit route that shows blue (rain), red (tube) or purple (apocalypse). I’ve used a couple of API services for tube & weather that return things in a nice JSON format that plays well with Perl, but you can adapt for your own uses.


use common::sense;
use LWP::Simple;
use LWP::UserAgent;
use JSON;

my $tubestatusurl = "";
my $weatherurl = ",uk&cnt=1&mode=json&units=metric";

my $bridgeurl = "http://bridgeurl/api/apikey/lights/1/state";

my $tubebroken = '{"on":true, "sat":255, "bri":255, "hue":65527}';
my $raintoday = '{"on":true, "sat":255, "bri":255, "hue":47124}';
my $apocalypse = '{"on":true, "sat":255, "bri":255, "hue":58009}';

my $lightcounter = 0;

my $tubejson = get( $tubestatusurl );
my $decoded_tubejson = decode_json( $tubejson );

my $tubestatus = $decoded_tubejson->{response}{lines}[0]{status};

if ( $tubestatus =~ /good service/ ) {
print "Good status\n";

else {
print "Jubilee line problems\n";
$lightcounter = 1;

my $weatherjson = get( $weatherurl );
my $decoded_weatherjson = decode_json( $weatherjson );

my $weather = $decoded_weatherjson->{list}[0]{weather}[0]{main};
if ( $weather =~ /Rain/ ) {

print "Rain today\n";
$lightcounter += 2;


if ( $lightcounter == 1 ) {


elsif ( $lightcounter == 2 ) {



elsif ( $lightcounter == 3 ) {


sub setlight {

my ( $body ) = @_;
my $req = HTTP::Request->new( 'PUT', $bridgeurl );
$req->header( 'Content-Type' => 'application/json' );
$req->content( $body );
my $lwp = LWP::UserAgent->new;
my $response = $lwp->request( $req );
print $response->decoded_content;



Me, you and spies

I’ve been avoiding writing about the Snowden revelations since they starting appearing mostly because people that are much more eloquent than I have said  pretty much everything already. However, I was at the JANET CSIRT conference this week and I was inspired by a talk from @stephenbonner and felt I ought to add my voice as one of the ‘good guys’ in infosec out there, even if it is just shouting into a void.

Stephen Bonner suggested, and I feel he’s right in this, that the majority of money sloshing around the infosec world is spent on offensive capabilities ($50bn in the US, £2bn for the entire UK ‘single intelligence account’) and that therefore their voice is loudest. Those of us whose budgets are tiny often have to defend organisations that have much higher turnovers and assets. The force multiplier works to our disadvantage: we have to do a lot with less whereas members of three-letter-agencies can spend huge sums to achieve relatively little.

To put it on record, albeit after the fact, I don’t think anyone is massively surprised about the extent of government intrusion into our lives, it’s just that we’re surprised how accurate the tin-foil-hat-wearing brigade were. Within my organisation we’ve been warning against putting sensitive data (or indeed any data without adequate protection) into cloud services for exactly this reason; we just didn’t feel comfortable that things like the Patriot Act gave governments carte-blanche if they just uttered the magic password ‘terrorists!’

But what about the terrorists?!

I don’t want to downplay the effect on people’s lives that murder and mayhem cause: I remember being abroad during the 7/7 London tube bombings and unable to get hold of my husband made me sick with worry; I remember the constant fear the IRA instilled during the 90s. But, terrorism is just that – an attempt to bully and threaten by exaggerating your abilities through fear.

The UK has an independent reviewer of terrorist legislation whose job is to provide a degree of balance in the argument. They are entitled to view secret data not available to the public or parliament and are therefore perfectly placed to dispassionately analyse how terror laws work and whether they are proportional.

In their 2012 report they were able to report that the annualised rate of mortality from terrorism in the UK, over the course of the 21st century (so including the tube attacks), is 5 deaths per year. To put this into context there are 5 deaths on UK roads every day and there are more deaths from stinging insects each year than from terrorists.

Governments have a responsibility to protect their citizens, I get that. I’m also not naive enough to believe that some secrecy in a society isn’t necessary, but this is about balance, and we have it way wrong.

“The threat of terrorism is, no doubt, sometimes exaggerated for political or
commercial purposes. It is certainly a powerful rallying-cry for the flourishing
security and surveillance industries.” –  DAVID ANDERSON Q.C. Independent Reviewer of Terrorism Legislation

This is all legal!

We’ve had a debate in the UK twice about the security services storing all of the internets. On both occasions we – as a democracy – decided that on balance our privacy and liberty won out against the risk of not detecting all of the bad guys.

In the US, where a mock court pretends it’s providing oversight, the NSA decided that the Prism programme wasn’t actually convenient and that it was far easier to compromise the internal data centre networks at Yahoo and Google instead. A private citizen hacking a company is, rightly, punished with years in jail, but if a government does it, that’s somehow ok?

GCHQ aren’t even sure if what they’re doing is legal. If you have any doubts about the ethics of what you’re up to, I reckon you’re probably on the wrong side, but hey, it’s not like they don’t have form in usurping scrutiny and due process.

It’s only metadata

OK, two things:

1) I can learn an awful lot from who you email, what the subject lines are, what websites you visit and what search terms you use. It’s said that Google knows you’re gay before you even realise it yourself and although that might not accurate, I’m not convinced I want any government storing a giant database of my friends, sexual desires and allergies. If you don’t think this in itself a problem, how would you feel about CCing every email to me, or maybe getting changed with the curtains open in your bedroom? Probably not great I’d guess – fancy 1.4m people with top secret clearance having access to that? But it’s not as if they’d use that privilege to actually check out prospective dates or their spouses.

2) GCHQ have decided to store everything anyway. Even though we had debates, twice, about just storing metadata, GCHQ hoover up the whole lot, content and all, under a program called Tempora. The internet’s quite big so they can only store it all for three days, but they then go and select for things of interest and store them for much longer. On a technical level, this is absolutely mind-blowingly-cool, but just because you can do it doesn’t mean you should.

We’re protecting you really

Whilst we’re busy building new “cyber reserve units” to attack we’re not putting a great deal of investment into things like the CPNI. And isn’t there a bit of a conflict of interest – one arm of government telling you to do one thing to protect and the other actively working to subvert that? I’m not entirely sure what monitoring Angela Merkel’s phones has to do with terrorism either.

To make life easier, standards have been subverted and backdoors introduced into major pieces of infrastructure through the Bullrun and Edgehill programs. It’s double standards to complain that Huawei might be up to the same tricks, and of course this then leaves those same flaws open to exploit by the bad guys too.

Secret three-letter-agencies have become self-perpetuating industries; they exist only to prolong their own existence. To do this they have to fight for budget. To justify that, they have to bring in product. Counter terrorism is one of those roles for sure, but their political paymasters aren’t likely to turn down information that helps them at a negotiating table either, just as long as they don’t want to know exactly how they came by it.

What can we do?

Under sustained attack by governments, there’s not a great deal anyone can do, it’s just a matter of time, but we can make it harder for them. We can do better at defending our own networks. We need to make it easier to use encryption by default: the maths is sound even if some implementations are broken. We need to think carefully about cloud computing and take service from those companies that are able to preserve our privacy and ignore those that don’t. Take your business away from US & UK computing firms and they will quickly pressure the politicians. Make it more expensive for the NSA & GCHQ to do their jobs and their paymasters will eventually baulk at the cost.

The previous generation to mine started the internet and considered it a kind of utopia free from interference. The internet is broken and we need a new one.

Show me the data

I was published in the BMJ today, having been asked to write an expanded version of this blog post.


Personal View

I’m a patient: show me the trial data

BMJ 2013; 346 doi: (Published 16 April 2013)

Cite this as: BMJ 2013;346:f2336

The patient Alex Lomas is taking a biological drug for Crohn’s disease, and he wants to know why the maker is trying to prevent disclosure of trial data that may well affect him

I have an obsession with data. I have instruments in my house so I know how hot each room is and to warn me if the fridge door has been open for too long. I record my weight and blood pressure using devices connected to the internet so that I can monitor long term trends. I use my smartphone to track how much walking and exercise I do.

I was diagnosed with Crohn’s disease about 20 years ago, when awareness of inflammatory bowel diseases was not as high as it is today.1 The treatment decisions made at the time of my diagnosis had unfortunate side effects for me as a teenager. High doses of prednisolone led to Cushing’s syndrome, and I was mercilessly teased about my appearance at school. With time came a reduction in the dose of steroids required, but I had to take them throughout my 20s, and control of my symptoms was still inadequate.

As a patient with Crohn’s disease, I take an active interest in my day-to-day health, but I also routinely scan news media and journal sites for new treatments and for changes to current best practice in the management of my condition. I often arrive at appointments with my consultant armed with PDFs printed from the BMJ, the Cochrane Collaboration, and the National Institute for Health and Care Excellence (NICE) to discuss the latest trials and treatment options. Yes, I’m afraid I’m one of those patients.

Three years ago my consultant suggested a new course of treatment with adalimumab (Humira), an anti-TNFα monoclonal antibody. My local primary care trust approved this new drug, which costs £352 per injection, and which I administer myself by injection each fortnight.2 Since I started taking adalimumab I have the least symptoms since diagnosis. I am no longer taking steroids; I have started to recover from 15 years of side effects; and I spend less time in clinical care and off work on sick leave.

However, anecdotes are not the foundation of evidence based medicine, and nor are they a rational basis for evaluating the cost of a treatment. On 1 April 2013 responsibility for commissioning transferred from my primary care trust to the local clinical commissioning group, bringing into sharp focus the question of whether the NHS is getting value for money in continuing my treatment.

Equally importantly, I want to be able to evaluate the benefits and risks of these costly pharmaceuticals with which I inject myself regularly. Biologicals are relatively new, and have failed spectacularly in clinical trials.3 Who knows what 20 or 30 years of data from clinical use might bring? The most recent Cochrane review of biologicals looked at nine studies, and, although it found that they were effective, it noted that none of the trials allowed for an assessment of long term adverse events nor had any trials been undertaken that compared efficacy among the available biologicals.4 My consultant recently told me that no trials had been done to determine what the minimum effective dose of adalimumab was, nor would there likely ever be; a drug company has no interest in showing you can take less of something.

Part of NICE’s approval for the use of adalimumab in treating Crohn’s disease was the recommendation that a register of patients being treated with biologicals be set up to track long term outcomes and relapse rates after withdrawal of treatment, something patient groups welcomed.5 Unfortunately it seems that such registers are fragmented, with registers of patients with rheumatoid arthritis held independently from registers of patients with inflammatory bowel disease, or are still at pilot stage.6

As a patient, I need clinicians to interpret trial data and systematic reviews of new and existing treatments so we can come to appropriate decisions about my treatment, but what if even experts don’t get to see the whole picture? How can we even know what trials are being run?

I was therefore dismayed to learn that Abbvie, the maker of adalimumab, are seeking a legal injunction to prevent the European Medicines Agency from disclosing trial data submitted during the drug’s approval process.7 With such a new drug, it is vital that all data, whether it’s good news or bad, are made available so that I, my consultant, and the care commissioning group can make informed decisions about the efficacy and cost effectiveness of treatments.

As the drug industry and medical profession as a whole move towards the registration of all trials, and the publication of all trial data—in no small way thanks to the All Trials initiative (—this decision by Abbvie is a backwards step and is offensive to trial participants, patients, and the wider public who ultimately pick up the tab.


Cite this as: BMJ 2013;346:f2336


  • Competing interests: I have read and understood the BMJ Group policy on declaration of interests and have no relevant interests to declare.

  • Provenance and peer review: Not commissioned; not externally peer reviewed.


  1. Molodecky NA, Soon IS, Rabi DM, Ghali WA, Ferris M, Chernoff G, et al. Increasing incidence and prevalence of the inflammatory bowel diseases with time. Gastroenterology 2012;142:46-54.
  2. Adalimumab. British National Formulary.
  3. Goodyear M. Learning from the TGN1412 trial. BMJ 2006;0:38797.635012.47
  4. Behm BW, Bickston SJ. Tumor necrosis factor-alpha antibody for maintenance of remission in Crohn’s disease. Cochrane Database Syst Rev2008;1:CD006893.
  5. NACC. A good decision from NICE on antiTNF treatments for Crohn’s disease. 2010.
  6. Alrubaiy L, Williams J, Morgan J. P422. The Biologics Register for inflammatory bowel disease in the UK: setting the clinical dataset and the IT infrastructure. ECCO, 2013.
  7. Kmietowicz Z. Drug firms take legal steps to prevent European regulator releasing data. BMJ2013;346:f1636.