Two nights ago, I cancelled/refunded @HexWaxWing’s ticket to BSidesCharm.

I have always attempted to be fair and constantly questioning if my emotions are leading me down a bad path. Normally by discussing complicated issues with close trusted friends I prevent myself from allowing my emotions to control me, but this time I screwed up. I let my emotions dictate my actions rather than focusing on what is best for the event. Despite my attempts to do what is in the best interest for the information security community, I made a very poor decision.

Given my visible stress and anxiety over the last few years, I have stepped back from many things in the last year to try to help but I failed in this instance. I should never have let my personal issues affect her ability to actively participate in the infosec community. While Hexwaxwing has been refunded for her original ticket for BSidesCharm, I will be replacing it at my expense.

HexWaxWing:
I apologize for my poor decision. I was wrong to do that.

BSidesCharm:
I am sorry for the stress my mistake caused you.

TD;LR: Be cautious and if something doesn’t seem right, ask! Don’t be afraid to reach out and get help. There are many InfoSec folks that want to help. The community is strong—but in any community, bad things will happen! Don’t be afraid to stand up and speak out. Any noob that doesn’t post about technical content is questionable! Starting in InfoSec is hard and we are willing to help.

InfoSec Addicts

NoobSec
Earlier this year, a group appeared called “#n00bsec” or “@InfoSecN00bs“. The Twitter account appeared April 2017 and a Slack and substantial community followed. The idea of a group to aid anyone new to infosec by noobs meant a ton of focused assistance and time from those (in theory) trying to learn from each other and share resources/experiences. The group seemed to be run by @hacksforsnacks_ AKA Aaron McBee and @K_5m00th.

I first heard about @hacksforsnacks_ from his presentation in @BSidesSATX, then I heard about the #infosecn00bs group and was excited to help. As are a fair number of infosec professionals, I am very interested in making sure noobs get assistance—since I want to see more success and less front page headlines from breaches. I got help when I started and feel obligated to pass on the good karma. I worked with an academic group back in 2012-2013 to help create a national InfoSec group, and even went to “The Colloquium for Information Systems Security Education” Conference on behalf of CyberWatch (said Academic Group) to help push this effort forward.

Initially, I thought @hacksforsnacks_ was all of n00bsec, but I saw the group’s growth snowball over the coming months. Between Slack and Twitter, it took off! Then I heard @hacksforsnacks_ was going to be at @NolaCon and was excited to meet him—as he was becoming a really popular noob, seemingly helping folks get started. Sadly, those hopes were dashed when some confusion about flight cost in exchange for volunteering occurred. At Circle City Con, @hacksforsnacks_ appeared as a volunteer (which was cool to me, as I see volunteering at cons as a great way to meet people). Sadly, my hopes were somewhat dashed when he showed a somewhat elitist attitude; I started to get worried for n00bsec. However, I met @BretMattingly, a member of n00bsec, and was quite excited since his talk on curiosity at Circle City Con matched my current research interests perfectly. (On the way to Circle City Con, I had done a close reading of a Carnegie Mellon research paper on curiosity.) At Circle City Con, @hacksforsnacks_ seemed determined to make a fool of himself as he made several statements that seemed far-fetched and turned out to be lies, which led me to be more concerned about the group. I got very concerned for the future of n00bsec and I really do want to see new folks be successful— especially the ones that are truly curious, as it is such an important personality trait within infosec.

When n00bsec started a Kickstarter to fund noobs going to Hacker Summer Camp, I had rather mixed feelings. I strongly believe everyone should start with local events and meet some folks first. This makes the summer camp trip so much more valuable! (And having someone else to go with to Vegas also makes it far more friendly!) After it was all said and done, I heard the concerning news that issues with money came up and Bret made a safe decision when things went wrong to refund the money. Bret caught a lot of heat for the decision, but given what he said in the posts below, I believe he made the right decision. The following stream was after Hacker Summer Camp, but the events occurred before.

As we approached “Hacker Summer Camp” (AKA Black Hat/BSidesLV/DEFCON), things blew up. One of my students won a BlackHat scholarship from a VP at Microsoft was relying on @hacksforsnacks_ for a room, but the day before he was supposed to fly out, @hacksforsnacks_ finally informed my student that no longer had a place to stay in Las Vegas. Panic ensued. I ended up covering my student’s room to get him the opportunity for his first BlackHat then I got him a DEFCON badge as well. However, I was and still am really annoyed.

On July 29th, Marcus Carey came out with the first public declaration of the n00bsec issue from an established member of the infosec community:

On Sunday, the last day of DEFCON, I heard that @hacksforsnacks_ had been escorted from the hotel for sexual harassment. I have heard all kinds of negative rumors about the leaders of n00bsec using the group for inappropriate behavior.
@AwfulyPrideful tweeted at DEFCON to remove @hacksforsnacks_ for terrifying another attendee:

A few minutes later, Matt Parker tweeted his experience hanging out with @hacksforsnacks_ at Circle City Con:

Rumors of @hacksforsnacks_ convincing InfoSec professionals to “help him out” by covering everything from flights to his cell phone bill and rent. It amazes me how successful he was at scamming professionals trying to help noobs—and it bothers me how much damage this has done to our community. One of the many examples below:

Repeatedly, I’ve heard about use of the n00bsec group for sexual harassment. Most of these rumors had focused on @K_5m00th after he claimed @hacksforsnacks_ was innocent, but even that turned out to be incorrect. @K_5m00th was implicated in sexual harassment at several events and more. I was not present and don’t have details; One person sharing their story gets the ball rolling, If you were a victim, please send a message—anonymously, if you need to. A member of NoobSec stated clearly in DM that he made several members uncomfortable through his actions within the group:

**Update**
A Victim has already mentioned being harassed at the BSidesLV party as to where her boyfriend was and why he wasn’t with her. @K_5m00th and a friend apparently bothered her around for ~20 minutes bothering her, asking various versions of where her boyfriend was and if she was available, as she attempted to steer the conversation to NoobSec. He seemed determined to ask about her personal life despite her attempts to talk about NoobSec, he showed no interest.
**

**Update 2**
AwfulyPrideful had given warning before Defcon about the behavior of @K_5m00th:

She then gave a larger press release about the concerns. Then she wrote a post on how to Fix the Problem with NoobSec.
**

On August 16th, @K_5m00th tried to redeem himself for his offensive actions with the following:

**Update 2**
AwfulyPrideful analyzed and responded to @K_5m00th “apology” in her blog. I get the impression the post was made under pressure, but that is an opinion.
**

After issuing claiming “I’ll be issuing a public statement later :)” on July 30th, @hacksforsnacks_‘s Twitter account has gone silent.

There was actually a lot of discussion about having new leadership for n00bsec, but I think a new brand is needed since so much negativity occurred. Several people have showed interest in helping to rebuild a similar group focused on ethics and helping noobs: @SushiDude, @Dan_Crowley & @MarkusJCarey and more that haven’t tweeted about it, but have said in person they want to make something safe..

Brake Sec PodCast offered to have any noobs use their slack. (invites: https://brakesec.signup.team) InfoSec Mentors Project focuses on connecting mentors with Mentees. Here is my own resource for starting infosec.

InfoSecAddicts
So in the past, I posted a detailed coverage of my story being scammed by Joe McCray and have since had numerous requests from Joe through several people to remove the post as the information has warded off enough people to for him to start a new brand: InfoSec Addicts (infosecaddicts.com & @infosecaddicts) as of September 2016 (for the Twitter account, at least). From what I can tell, it still seems like Joe. I say: be wary based on Joe’s performance with Strategic Security…that said, I have no stories on InfoSec Addicts slighting anyone as yet. See previous experiences of Joe’s classes for background.

Back to the top

After some friends complained they also got screwed over, I felt it was finally time to write about a trainer that has wronged many.

While looking for some reasonable training, I found Joe Mccray, Strategic Security, that seemed to be supporting the community and offering inexpensive rates. I even spoke with a local person that had worked with him as a “Security Rookie” who said good things. Despite my better judgement about paying for semi-intro classes, I decided to try a class. I learned to trust my judgement more on training.

I signed up for “Catch Me If You Can: Bypassing AV/HIPS/NIPS Online Workshop” in August of 2013. This was supposed to run noon until 4pm on August 17th and 18th. I confirmed regardless of the errors on the initial email sent as well as the fact video’s of both days would be sent.

At the end of the day, he sent out a txt file with some of the commands used and promised he would send out the videos shortly. He also sent information created by a group called Web Application Security Consortium. These were solid resources albiet being a few years old at the time of distribution.

At the end of the first day, he sent a invite to the second day with the wrong times listed (he had noon until 10pm instead of noon until 4pm). Regardless, I confirmed again the times for the following day and asked when he would release the video for day 1. He confirmed the times for Day 2. An hour before Day 2 was scheduled to start, he sent a email:

“I’m sorry to have to do this on such short notice. But I’m leaving for the airport right now. I have to help a customer with a compromise so I will not be able to run this class today. Please accept my sincerest apology as I know several of you are in other timezones and that makes attending this workshop very difficult. I promise I will make it up to you.

Again, please accept my apology and I’ll see you next week.

BTW…yesterday’s video and class notes I’ll take care of sending to you when I get off the plane and get to my hotel later tonight.”

I was annoyed, but didn’t make a big deal of it as emergencies can happen. He sent out a invite for the following week with again the wrong times (he had noon until 10pm instead of noon until 4pm). On 8/26, the supposed make-up day, he didn’t show up. A few days later, I emailed and again asked for the video’s from day 1 and when the makeup would occur.

Rather then complete the session promised, he decided to replace day 2 with another class he had made. This one on a completely different subject and during the week instead of on the weekend like the original. So two weeks after the class was supposed to have occurred, he never sent out the rest of the info from class 1 and never had class 2. He also had only offered to move into a different class.

The make-up class he offered got pushed back a additional week as well. Then he ended up canceling class one of the days due to a “network outage”.

I still have yet to receive the video from the first class and have long since given up on it. I told him the way things were handled were poor at best with no response. Over the 1.5 years since, dozens of people have told me similar stories of being severely disappointed with his unprofessionalism. One of his own friends went as far as to apologize to me and tell me Joe is a good person, but a “terrible person to do business with”. I have heard numerous stories from friends that he repeatedly cancelled classes, didn’t share materials and was just generally unprofessional considering he is charging money for his trainings. I have encountered numerous trainers that have been significantly more professional in free classes then he was in classes he charges money for.

Additional instances of people publicizing their issues with his content or teaching:

• A significant portion of the content from a paid webinar were stolen from Exploit Lab without credit or permission (see: http://blog.exploitlab.net/2013/02/defending-our-work-part-2-exploit-lab.html ) as well as covering some of the concepts incorrectly.

  Some of the comments show the kind of person Joe is and the type of work you can expect from him:

  • “msploit12 February 2013 at 12:52
    I’m incredibly happy to hear someone has finally outed strategicsec. Over the past year I’ve watched a lot of things unfold with Joe McCray. You just have to look at his security rookies ‘program’ to understand what hes up to. His unpaid ‘rookies’ have in many cases preformed recon for actual pentests. Hmm unpaid people doing for the benefit of a company, yep thats a violation of labor laws. I also have personal knowledge of Joe linking to and hosting pirated books and courseware for his ‘rookies’ and other people. He also has his ‘illegally unpaid’ rookies put together some of his class material which is sold.”
  • Another former ‘rookie’ commented:
    “throw away13 February 2013 at 00:25
    As a former ‘rookie’ I can attest to this. Under the guise of giving us ‘real world’ experience he is essentially getting free labor and charging the clients for his (really our) time. Rookies are tasked with creating his training material which usually involved him providing a ‘rough draft’ and us fixing errors and importing it to his letterhead. Often, when having to research the problems we found that the material was pirated from SANS reading room, GIAC Gold papers, or other publicly available sources with no attribution to the original source or author. There was some original content generated, but it was far and few between and almost always created by unpaid ‘interns’ that was in turn sold through his training programs.”
• Another former ‘rookie’ said via Twitter DM when asked about the program:
  “I bailed pretty early. After a couple weeks of working for free, I stopped. It was obvious he was just trying to take advantage.”
• More Recently, someone commented some more issues ( http://nathanheafner.com/home/2014/02/17/in-depth-and-personal-infosec-training-thats-affordable/ – sadly the comments show mixed results )

  **Update – Nathan’s site seems to have gone offline so I swapped to Wayback Machine

  “Michael • 2 months ago
  You must have got in early. I’m in the middle of taking a class with Joe now (Pentest candidate program). He advertised the classes as being Monday and Wednesday, 7-9pm for December-February. However he has already cancelled 7 classes, and most of the other ones were only about an hour in length. Some members of the class are saying it’s a scam, others are saying he’s just winging it.

  Either way, I would strongly advise anyone against taking classes with Joe.”

• A friend that was in the Security Rookies program said that Joe used them to write his material and do unpaid work for his company. You can get some experience, but at the cost of being used.

Someone from CarolinaCon adamantly defended Joe as he was criticized on Reddit

While Joe may be knowledgable, I compiled these stories so people understand what they are getting into. If you are looking at the Security Rookies Program, there are people that have gotten a lot from it, but it is at the cost of being used. Some people have had a positive experience… While I am bitter and would never do business with Joe or recommend anyone else do so, he is knowledgable and he has given opportunities to some that are not easily obtained…

=====================================================================
A friend just shared another story with me:

On December 1st Strategic Security will launch the Pentest Candidate Program. This program is designed to satisfy the basic requirements to be a penetration tester. The program covers the common technical requirements, common soft skill requirements, and via a partnership with several penetration testing firms the top candidates will be given job interviews at the end of the program for a remote penetrating testing position (remote meaning you can work from home).

If you already have a US Security clearance, currently live in the DC, Maryland, Virginia area and you are one of the top candidates you may be given the opportunity to interview for a cleared penetration testing position.
This is your chance. If you REALLY want to become a penetration tester then this is the perfect combination of training, mentorship, and opportunity.

What is covered in the program?
This program is hard, but rewarding. It covers the following subject areas:

Command-Line Kung Fu
Linux Command-Line Fundamentals
Windows Command-Line Fundamentals

Network Penetration Testing
Scoping a penetration test
Performing a penetration test
Reporting penetration test findings

Web Application Penetration Testing
Scoping a web application penetration test
Performing a web application penetration test
Reporting web application penetration test findings

Python For InfoSec Professionals
Log parsing with Python
Pcap parsing with Python
Network testing with Python
Web App testing with Python

Preparing for a job as a Penetration Tester
Resume assistance
Assistance with building a portfolio based on this program
Mock interview
Interviews with up to 15 Penetration Testing firms for top candidates
Interviews with up to 5 DoD contractors for top cleared candidates

How is the program delivered?
On Monday of each week you will be assigned a set of tasks that required to be completed by Sunday at midnight EST. These tasks usually include:
Required reading
Required videos to watch
Required lab exercises to perform
On Mondays and Wednesdays from 7-9pm EST a live online training session/QA period will be held. The sessions will be recorded each day so you do not have to worry if there are scheduling issues.

The program will run from December to February (3 months) with job interviews for top candidates being held in March.

The program cost is $150 per month for 3 months, or $300 as a 1-time fee for the program.

This class is only $300 so signup now!

Example on how he still cancels classes.

Guys, I am really sorry but I have a family emergency to tend to. I will double the length of tomorrow’s class to cover for tonight.

He claimed he had partnerships in his advertisement email:

The program covers the common technical requirements, common soft skill requirements, and via a partnership with several penetration testing firms the top candidates will be given job interviews at the end of the program for a remote penetrating testing position (remote meaning you can work from home).

Preparing for a job as a Penetration Tester
* Resume assistance
* Assistance with building a portfolio based on this program
* Mock interview
* Interviews with up to 15 Penetration Testing firms for top candidates
* Interviews with up to 5 DoD contractors for top cleared candidates

Participants commentary on that:

As part of the class…he advertised that the students in the DMV area could get jobs afterwards if they performed well in the course. The only thing he did in that regard was have HR professionals present the skills and credentials they look for when hiring infosec people. It didn’t appear that he really had jobs for these students….instead…just provided some information on how to get jobs (which is far from the same thing)

Your first challenge:
Use the OSINT_Innophos doc as a reference and perform/document an OSINT assessment against any one of the following companies:

NSA
HSBC
Coke
Exxon Mobil
KPMG
Accenture
NewYork-Presbyterian Hospital
Kroger
Dillard’s
Royal Caribbean International

Tools
Here are some tools that I think you should consider using for this challenge:

FOCA
Maltego
Search Diggity
ShodanHQ
Firefox PassiveRecon
EDGAR
theHarvester
gxfr.py
VisualRoute
Recon-NG

Now I am not a pen tester, but suggesting people preform OSINT on the NSA is a really bad idea, even passive recon. The last block quote was straight from an email from Joe.

We didn’t receive feedback on their OSINT assignment. I don’t want to assume….but…I would guess that McCray probably rarely hands out feedback (but..thats an assumption and not based on factual evidence)… I help with OSINT report around 12/6-12/14 on a company. Used google docs. I dont know how well we did.

The PPT attachment shows Joe canceling 4 classes (assuming I counted correctly) and he asked the students to help him with one of his *real life pentests* Im assuming he was doing for his business.

The Hangout is a chat with the people in the class. It first starts off with everyone trying to solve problems together and quickly takes a turn where people are asking if class will ever be held again.

No feedback on the sketchy assignment. Canceling ~15% of the classes; 4 classes out of 26. He had excuses each time, but after reading all the various stories, I keep hearing about cancellations including 50% of the classes I had with him.

Update 12/20/2019: I got a twitter DM about a new CEH class story via Security Ninja

I’ve been in a course with Joe McCray this week and came across your blog post. Do you still hear concerns over his material? Some things feel a little fishy and I wanted to reach out.

He gave us access to exam questions he’s purchased on vcetrainer.com. He shared his credentials with the class. This morning he gave us a copy of the exam, while taking the real exam. He instructed us not to finish faster than 90 minutes.

Class is through Security Ninja

If you wish to contribute a story, just submit it as a comment or send it to me, good or bad!