Web Development
What is JSON Web Token (JWT)
JWT basics illustrated and explained.
Security
Security
GoLang Exercism
Not like the spitting up green pea soup exorcism but Exercism.io, one of many great resources for learning programming languages by solving actual problems. Similar to Ruby Koans, you are given a programming problem to solve and a set of unit tests. Your challenge is to make all the tests pass by writing code (ala TDD). As you write your code and run your tests you may be given hints leading towards a solution or you may have to just figure it out on your own. Once all your tests are passing, you publish your code to the Exercism site where others can review and you can see other people's solutions for the same problems. I've learned more by reviewing other people's code than all the books and blog posts I've read.
Linux
SSH and SCP: Howto, tips & tricks
A basic tutorial about the Linux commands ssh and scp. It features explanation about the syntax, the possibilities and the differences between the two. It also features some tips and tricks that'll come in handy when working with these programs.
Linux
The Mad Philosopher » ssh keep-alive tip
| The Mad Philosopher » ssh keep-alive tip | ssh keep-alive tip
Whenever I login remotely to my machine in Canada, the ssh session dies after a while if I don’t actively type something. This is not the server timing out, but rather the TCP connection hanging. Figuring out a way to keep sending it keystrokes automatically is beyond my ability, but I found out that I could just have it send me data continually, and that works just as well to keep the terminal session alive. The following Bourne Shell loop works:
Linux
Ubuntu Unleashed: The Top Security Tools in the Ubuntu with 1 click Installation!
Here is a collection of security tools that you should look through to add to your arsenal to help keep the peace on your pc/network or unleash war on others for whatever reason.
| Most of these are command line tools which need to be invoked via the Terminal: | Applications->Accessories->Terminal
Security
Mac OS X Security Configuration Guides -Apple.com
| Apple - Support - Security Configuration Guides | The Security Configuration Guides provide an overview of features in Mac OS X that can be used to enhance security, known as hardening your computer.
The guides are designed to give instructions and recommendations for securing Mac OS X and for maintaining a secure computer.
To use these guides, you should be an experienced Mac OS X user, be familiar with the Mac OS X user interface, and have at least some experience using the Terminal application’s command-line interface. You should also be familiar with basic networking concepts.
Security
Wfuzz - A Tool for Bruteforcing/Fuzzing Web Applications | Darknet - The Darkside
| Wfuzz - A Tool for Bruteforcing/Fuzzing Web Applications | Darknet - The Darkside | Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked directories, servlets, scripts, etc, bruteforce GET and POST parameters for checking different kind of injections SQL, XSS, LDAP,etc, bruteforce Forms parameters User/Password, Fuzzing,etc.
As heard on the pauldotcom.com podcast.
Security
Maltego - Paterva: A new train of thought
| Maltego - Paterva: A new train of thought | Maltego is a program that can be used to determine the relationships and real world links between:
| People | Groups of people (social networks) | Companies | Organizations | Web sites | Internet infrastructure such as:
| Domains | DNS names | Netblocks | IP addresses
| Phrases | Affiliations | Documents and files
These entities are linked using open source intelligence.
Linux
Using Rsync and SSH
| Using Rsync and SSH by Try Johnson of troy.jdmz.net | I like to backup some logging, mail, and configuration information sometimes on hosts across the network and Internet, and here is a way I have found to do it. You'll need these packages installed:
| * rsync | * openssh | * cron (or vixie-cron)
| Please note these instructions may be specific to Red Hat Linux versions 7.3, 9, and Fedora Core 3, but I hope they won't be too hard to adapt to almost any *NIX type OS. The man pages for 'ssh' and 'rsync' should be helpful to you if you need to change some things (use the "man ssh" and "man rsync" commands). | First, I'll define some variables. In my explanation, I will be synchronizing files (copying only new or changed files) one way, and I will be starting this process from the host I want to copy things to. In other words, I will be syncing files from /remote/dir/ on remotehost, as remoteuser, to /this/dir/ on thishost, as thisuser. | I want to make sure that 'rsync' over 'ssh' works at all before I begin to automate the process, so I test it first as thisuser: | $ rsync -avz -e ssh remoteuser@remotehost:/remote/dir /this/dir/ | and type in remoteuser@remotehost's password when prompted. I do need to make sure that remoteuser has read permissions to /remote/dir/ on remotehost, and that thisuser has write permissions to /this/dir/ on thishost. Also, 'rsync' and 'ssh' should be in thisuser's path (use "which ssh" and "which rsync"), 'rsync' should be in remoteuser's path, and 'sshd' should be running on remotehost.
Security
SANS Technology Institute: Interview with Charles Edge
| SANS Technology Institute: Interview with Charles Edge | How did you first get interested in information security?
It seems like Ive been interested in security since I started playing with computers. It was always about trying to push the limits of what could be done. As I moved through the various phases of an IT career my interest just grew. At the University of Georgia and then in enterprise environments that I worked at when I first got out of school there was a lot of infrastructure being built out, but not a lot of interest in security. This is about the time that I found Def Con, 2600 and Black Hat, and became part of that community. Once I got a little involved in those the interest seemed to grow exponentially. Then, when I got involved in networking Macs in the Entertainment Industry, these interests came together. Now I see the hacker community somewhat of a protector, finding flaws so they arent discovered by people with bad intentions and helping to make systems more secure for everyone.
Security
macosxhints.com - OS X VPN client and Cisco ASA
| macosxhints.com - OS X VPN client and Cisco ASA | Summary: This hint is for Network Engineers who want their firewalls to accept VPN connections from standard OS X L2TP / IPSec clients (should also work for Windows and Linux clients). If you are not a network engineer, but are having trouble connecting to one of these devices, you can also forward this tip to your company's "firewall person," so that they can fix it.
Linux
LDAP Authentication In Linux
LDAP Authentication In Linux | HowtoForge - Linux Howtos and Tutorials
This howto will show you howto store your users in LDAP and authenticate some of the services against it. I will not show howto install particular packages, as it is distribution/system dependant. I will focus on "pure" configuration of all componenets needed to have LDAP authentication/storage of users.
Security
Terminal Services Setup Guide (2003)
| Learn the best way to batten down the hatches on your servers without going too far. | by Kenton Gardinier for ftponline.com | Windows Server 2003 Terminal Services in terminal server mode can be run in either the Full Security or Relaxed Security compatibility mode to meet your organization's security policy and application requirements. Full Security mode was created to help lock down the terminal server environment to reduce the risk of users mistakenly installing software or inadvertently disabling the terminal server by moving directories or deleting Registry Keys. This mode can be used for most certified terminal server applications. | Read more.
Security
Top 75 Security Tools
Respondents were allowed to list open source or commercial tools on any platform. Commercial tools are noted as such in the list below. Many of the descriptions were taken from the application home page or the Debian or Freshmeat package descriptions. I removed marketing fluff like "revolutionary" and "next generation". No votes for the Nmap Security Scanner were counted because the survey was taken on an Nmap mailing list. This audience also means that the list is slightly biased toward "attack" tools rather than defensive ones.
Security
Block SSH script attacks
| macosxhints - Modify Remote Login server to block scripted attacks | If you run a machine that is open to the public internet, and you open up SSH then you've seen these entries in your system logs.
eb 10 07:07:36 localhost sshd[1078]: Illegal user matt from 210.127.248.158 Feb 10 07:07:38 localhost sshd[1080]: Illegal user test from 210.127.248.158 Feb 10 07:07:40 sshd[1082]: Illegal user operator from 210.127.248.158 Feb 10 07:07:42 sshd[1084]: Illegal user wwwrun from 210.127.248.158 Feb 10 07:07:52 sshd[1096]: Illegal user apache from 210.127.248.158 Feb 10 07:07:59 sshd[1104]: Failed password for root from 210.127.248.158 port 58752 ssh2 Feb 10 07:08:01 sshd[1106]: Failed password for root from 210.127.248.158 port 59136 ssh2 Feb 10 07:08:03 sshd[1108]: Failed password for root from 210.127.248.158 port 59176 ssh2 Feb 10 07:08:15 sshd[1122]: Failed password for root from 210.127.248.158 port 60606 ssh2 .…
Security
Email "Spamming" and Email "Spoofing"
Here is a snip of a great article explaining Virus Spoofing from www.lse.ac.uk:
Email-distributed viruses that use spoofing, such the Klez or Sobig virus, take a random name from somewhere on the infected personís hard disk and mail themselves out as if they were from that randomly chosen address. Recipients of these viruses are therefore misled as to the address from which they were sent, and may end up complaining to, or alerting the wrong person. As a result, users of uninfected computers may be wrongly informed that they have, and have been distributing a virus.†
Security
Destroy Spyware
TechTV | Dark Tip: Destroy Spyware
I have yet to find an application that detects adware and spyware before it's installed on your PC, so my recommendation is not to pay for adware/spyware removal software at this time. Simply use a combination of Ad-aware (freeware version) and Spybot - Search & Destroy to remove the offending software. I believe Norton is on the right track by combining antivirus software with adware/spyware-detection. With automatic updates and real-time detection, Norton could prove to be the ultimate removal tool for viruses, adware, and spyware. Only time will tell, and I'm sure McAfee has something up its sleeve as well.
Security
Mac OS X Security Advisory
| Mac OS X Security Advisory | Vulnerability: | Malicious DHCP response can grant root access
| Affected Software | Mac OS X 10.3 (all versions through at least 26-Nov-2003) | Mac OS X Server 10.3 (all versions through at least 26-Nov-2003) | Mac OS X 10.2 (all versions through at least 26-Nov-2003) | Mac OS X Server 10.2 (all versions through at least 26-Nov-2003) | Probably earlier versions of Mac OS X and Mac OS X Server | Possibly developer seeded copies of future versions of Mac OS X
Security
Securing Apache by securityfocus.com
Part one on a series of articles by the good people at securityfocus.com about creating a somewhat safe presence on the web.
Security
Securing MYSQL by securityfocus.com
Part three and the final installment, so far, in securing your web server by the crew at securityfocus.com.
Security
Securing PHP by securityfocus.com
Part two in the series of articles by the folks at securefocus.com about securing your web server.