From: Neale Pickett To: RCPT Subject: Tracer FIRE: Network Archaeology Information Welcome to the Network Archaeology course! Your token is: TOKEN. Please write this down, but protect it as though it were a password. Summary -------- * 8-11 AM and 1-4 PM (US/Mountain), Mon Feb 4 - Tue Feb 5 * Get started at http://tf5.lanl.gov/netarch.html * Work at your own pace, using tutorial videos on YouTube * Connect to irc://irc.oftc.net/netarch for Q/A * Use you token (TOKEN) to ask questions and check lab answers IRC is going to be the biggest challenge for some participants. We urge you to connect to IRC and test the channel moderation bot before Monday, since we won't be able to help you get connected during the course. What to Expect ------------ Network Archaeology is a self-paced course, consisting of tutorial labs and video tutorials on YouTube. Instructors are available on IRC (Internet Relay Chat) to answer questions and provide help as you work through the labs at your own speed. When the course begins Monday morning at 8:00AM US/Mountain, log on to IRC, then check the web page at http://tf5.lanl.gov/netarch.html for links to the lab server, an introductory video, and tutorial videos on YouTube. After the first 8 labs, we expect you to figure out on your own how to approach and solve problems. We will update the page at http://tf5.lanl.gov/netarch.html with links to more tutorial videos to keep you from getting stuck, though. You will see questions and answers in the IRC channel. When you have a question of your own, message the moderator from your IRC client: /msg netarch-moderator TOKEN What does = mean in base64? Course requirements ---------------- You need: * A laptop with Linux or MacOS (Linux preferred, inside a VM is fine) * Wireshark * tcpdump * tcpflow * gcc and make * python3 * A plain text or code editor, such as gedit * An IRC client such as xchat or pidgin Please have all your software installed and ready to go when the course begins. We will not be available to help with software installation. Connecting to IRC -------------- IRC is the technology used by NNSA's Tracer group for collaborative incident response, and it will soon be used by DOE's NSM group as well. If you have never used IRC before, we urge you to test it out before Monday. Neither Patrick nor Neale will be available to provide assistance connecting to IRC after the course begins: please familiarize yourself with IRC before Monday. If you are on LANL's collab IRC server, you may join channel #tf5 right now; I am in the channel and would be happy to chat with you. The collab channel is unmoderated, you may ask questions right in the channel. You can skip the rest of the IRC sections. If you are not on LANL's collab IRC server, or don't know what that means, you need to connect to the moderated channel on OFTC. You may install any IRC client you like--I use xchat--and tell it to connect to the OFTC network (irc.oftc.net). If you can't connect to IRC with an installed client, you may have better luck with the web-based Mibbit (http://www.mibbit.com/). Remember to select the OFTC network, and to put # in front of channel names. IRC Channels ---------- There are two OFTC channel for the course: #tf5 and #netarch. #tf5 is an unmoderated channel for all Tracer FIRE 5 participants. You may be able to get help from other people (not the instructors) in #tf5. You don't have to join #tf5, though: it's optional. #netarch is the course channel, and is moderated. Questions must be sent to netarch-moderator, with your token. For example: /msg netarch-moderator TOKEN How do I start a Python shell? netarch-moderator will reply saying it has put your question in the queue, and it will send your question to #netarch when the instructors are ready. If you provide an invalid token, or don't provide a token at all, the moderator will not respond. Testing your IRC connection ---------------------- I implore you to connect to IRC right now, join #netarch, and make sure you understand how to send messages to the moderator. You can verify that the moderator sees your token by typing: /msg netarch-moderator TOKEN test Where to go for technical support -------------------------- Due to the number of participants we have this year, we will not be able to provide any technical support outside of helping you work through labs. There will be people in the #tf5 IRC channel who may be willing to assist you if you ask nicely. For this reason, it is very important that you have figured out how to connect to IRC before Monday. There are many resources on the Internet to help you with this. A few of you will be unable to connect to IRC, even after going over the instructions in this email carefully. I apologize in advance for being unable to help you get connected during the course. About your Instructors ------------------ Neale Pickett, Los Alamos National Laboratory Neale created the network archaeology toolkit for python, and is the principal organizer of Tracer FIRE. He has been involved in several high-profile incident response efforts across DOE/NNSA since 2005, and has been teaching this course since 2010. Patrick Avery, Pantex Plant Patrick, a former and current student of Neale, is one of the biggest advertisers of the network archaology toolkit -- singing its glory from the mountaintops. He has been involved in several high-profile incident response efforts across DOE/NNSA since 2009 and has been assisting with this course since 2011. The Tracer FIRE Registration and Moderation Fairies The Tracer FIRE Fairies are new in 2013. The Registration Fairy is sorry for sending so many emails, and the Moderation Fairy is sorry you lost your token (which is TOKEN).