Starting from 2023, this blog is moving to GitHub to continue on my personal web site and blog management.
Thank you Blogger.com This is a long journey 16 years. Let's continue on https://myseq.github.io/
Dec 31, 2022
Moving to GitHub
Tags:
github
Dec 24, 2022
Cybersecurity Vs Database Engineering
Tags:
[Cybersecurity],
[quote]
What is the difference between Cybersecurity and Database engineering?
Cybersecurity specialists thinks 24 hours, and database engineer thinks end of every quarter.
Dec 23, 2022
The different between Information security, security resilience and cybersecurity
Tags:
[Cybersecurity],
chatGPT,
infosec
Here is a Venn diagram that shows the difference between Information Security, Security Resilience, and Cybersecurity.
_____________
/ \
/ Cyber- \
| security |
\_____________/
| |
| |
_____________________
| |
| Security Resilience |
|_____________________|
| |
| |
___________________
| |
| Information Security |
|___________________|
The diagram shows that Cybersecurity is a subset of Security Resilience,
as Security Resilience encompasses not just Cybersecurity but also
physical security, incident response planning, and business continuity
planning. Similarly, Information Security is a subset of Security
Resilience, as Security Resilience encompasses a broader set of
security-related activities beyond just information security.
Dec 22, 2022
Is there a difference between information security and Cybersecurity ?
Tags:
[Cybersecurity],
chatGPT,
infosec
Yes, there is a difference between information security and cybersecurity, although the two terms are often used interchangeably.
Information security is a broader term that encompasses the protection of all forms of information, both digital and non-digital, from unauthorized access, use, disclosure, disruption, modification, or destruction. This includes physical security measures, such as locks and access controls, as well as technical and administrative controls, such as encryption and policies and procedures.
Cybersecurity, on the other hand, specifically refers to the protection of digital information and systems from cyber threats, such as cyber attacks, hacking, malware, and other forms of unauthorized access, use, or disclosure. It involves the use of technical measures, such as firewalls, intrusion detection systems, and encryption, to secure digital assets.
In summary, information security is a broader concept that includes both physical and digital security, while cybersecurity is a specific subset of information security that focuses solely on digital security.
Dec 21, 2022
Setup Jekyll
Jekyll is one of the most popular generators for static websites and is based on Ruby. To realize the actual website, the generator uses CSS, HTML and Markdown. Jekyll also offers easy migration from WordPress or other systems to the new environment.
Here the steps I followed to setup Jekyll on Ubuntu.
Let's start with installing Ruby and prerequisites.
$ sudo apt install ruby-full build-essential zlib1g-dev
Then, setup the gem installation directory in the BASH startup.
$ echo '# Install Ruby Gems to ~/gems' >> ~/.bashrc
$ echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc
$ echo 'export PATH="$HOME/gems/bin:$PATH"' >> ~/.bashrc
$ source ~/.bashrc
Next, install Jekyll and Bundler:
$ gem install jekyll bundler
Now, just clone from the GitHub with the theme Chirpy.
$ git clone https://github.com/cotes2020/jekyll-theme-chirpy
Last, install the dependencies and run local server.
$ cd jekyll-theme-chirpy
$ bundler
$ bundle exec jekyll serve --host 0.0.0.0
 |
| http://0.0.0.0:4000/ |
Dec 16, 2022
Vulnerability Scanner for Open Source
Tags:
[cli],
[VulnerabilityScan],
cmdline,
Google,
JSON,
opensource,
OpenSSF,
REST-API,
vulscan
Finally, Google has released the OSV-scanner as a free tool that gives opensource developers access to vulnerability information which may relevant to their projects.
With the new launching OSV.dev service, it allows all the different opensource ecosystems and vulnerability databases to publish and consume information in one simple, precise, and machine readable format (JSON).
OSV-scanner is an effort to provide supported fronted to the OSV database (OSV.dev) that connects a project's list of dependencies with vulnerabilities that affect them.
There are a few ways to use OSV:
So, let's get start running the OSV-scanner on your project to find all the dependencies that are being used by analyzing manifests, SBOMs, and commit hashes. The scanner hen connects this information with the centralized OSV database and displays the vulnerabilities relevant to your project.
Links:
Dec 15, 2022
OpenSSF Scorecard
Tags:
GHA,
opensource,
OpenSSF
OpenSSF Scorecard is one of the initiative from Open Source Security Foundation or OpenSSF. It is a tool to provide quick access to opensource projects for any risky practices via automated checks.
To run the checks, there are 2 ways:
- Run automatically on code you own using the GitHub Action
- Run manually on your (or somebody else’s) project via the Command Line
Scorecard checks for vulnerabilities affecting different parts of the software chain including source code, build, dependencies, testing, and project maintenance.
Links:
Dec 13, 2022
Upgrade to Python 3.11 on Ubuntu 22.04 LTS
My Ubuntu 22.04 (WSL) comes with Python 3.10.6, and I need to upgrade it to 3.11 for a workshop. (More importantly is, it claims to be 10-60% faster than the previous 3.10. 😎
Here are the steps:
$ sudo add-apt-repository ppa:deadsnakes/ppa
$ sudo apt update
$ sudo apt install python3.11-full
$ python3.11 --version
Python 3.11.1
Next. To set Python 3.11 as default.
$ sudo update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.10 110
$ sudo update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.11 100
$ sudo update-alternatives --config python3
Dec 11, 2022
Python-HTTPX Vs. Python-Requests
#!/usr/bin/evn python3
# -*- coding: utf-8 -*-
import httpx
import requests
In general, both the module are similar, Here, I just make a simple comparison on what are the differences between Python HTTPX and Requests module.
| Requests | HTTPX | |
|---|---|---|
| Sessions | requests.Session() | httpx.Client() |
| Async support |
Not supported |
httpx.AsyncClient() |
| HTTP/2 support |
Not supported | httpx.Client(http2=True) httpx.AsyncClient(http2=True) |
I have started moving over to HTTPX since Dec 2022.
Links:
Dec 10, 2022
Security Role Management Best Practices
Tags:
[EssentialSecurity],
[strategy],
RBAC
Everyone know RBAC is important. And this is one of the best webinar that demonstrate how the best practices in designing RBAC.
Notes:
- Complexity is the enemy of security
- Don't let perfect become the enemy of the good. 80/20
- Be flexible and ready to be changed over time.
- Top-down approach design
- Bottom-up approach for role discovery (engineering)
- Business user tier Vs App entitlement tier.
Dec 8, 2022
CISA KEV Catalog Hits 860 After 13 Months
 |
| Top 10 vendors and vulnerable products |
CISA starts to share KEV catalog to public back in Nov 3, 2021. There are total of 860 cve been added into KEV catalog after 13 months (849 cve by Nov 3).
Too many organizations are relying on the Common Vulnerability Scoring System, developed at FIRST.org, to decide when it is time to patch.Vulnerabilities with a Low/Medium CVSS score are often ignored completely or deferred to another time, while a vulnerability with a 7.0 and above generates a hair-on-fire “patch now” event.
And this is the reason why patches just don’t get applied in a timely fashion all the time.
It is time we reexamine each of our vulnerability management programs to assure we are not letting impactful and known CVEs continue to exist in our networks long past the time that vendor fixes are available. We need to evolve our practices to incorporate capabilities such as KEV into our operational vulnerability analysis decision making.
The screenshot above shows the top 10 vulnerable products and the vendors within the KEV catalog. And I have shared the script at GitHub back in April 2022.
Links:
Dec 7, 2022
Make Some CmdLine Fun on ChatGPT
Let's make some hacking/cmdline fun on ChatGPT.
Do you know wha is the OS, how much memory and hard disk size used by ChatGPT? It is running on
- Ubuntu 18.04 LTS
- with 4GB RAM
- and 500GB disk size
😮 😮 😮 😮 😮 😮
First login to ChatGPT at https://chat.openai.com/chat with Google account.
Second, enable the terminal by paste into ChatGPT:
I want you to act as a Linux terminal. I will type commands and you will reply with what the terminal should show. I want you to only reply with the terminal output inside one unique code block, and nothing else. Do not write explanations. Do not type commands unless I instruct you to do so. When I need to tell you something in English I will do so by putting text inside curly brackets {like this}. My first command is pwd.
Next, we can continue with all cmdline that we are familiar:
- whoami
- w
- uptime
- ip route
- ip addr show
- free -h
- sudo fdisk -l /dev/sda
- sudo su -
- cat /etc/passwd
- cat /etc/shadow
- (evil) rm -rf /* &
 | |||||
lsb_release -a
|
 |
| fdisk -l /dev/sda |
 |
| cat /etc/passwd |
 |
| cat /etc/shadow |
 |
| uptime |
Personally, I don't think the information above is true, but it is fun to see this sometimes. 😇
Links:
Dec 6, 2022
OpenAI ChatGPT
ChatGPT is a language model developed by OpenAI. GPT-3 stands for "Generative Pretrained Transformer 3" and is a type of artificial intelligence (AI) that is designed to generate human-like text.
ChatGPT is specifically designed to be used in chatbot applications, where it can generate natural-sounding responses to user inputs.
 |
| screenshot taken |
ChatGPT can remember what we said, and allow for follow up questions. Such as:
- What is HTTP request?
- How do I create it in Python?
 |
| chatGPT |
ChatGPT can support multiple languages, and even .............
 |
| 秋天的诗 |
Let's start to get some fun.
Links:
Dec 5, 2022
OpenAI DALL-E 2
Tags:
OpenAI
OpenAI created a tool to generate AI images and make it available to everyone on Internet. The tool is called DALL-E 2.
Login to DALL-E 2 at https://openai.com/dall-e-2/ with Google account. And just type in any description to generate image, such as:
an old man and a dog walking at beach
We can also add append some keywords to be more specific, such as:
an old man and a dog walking at beach, line art
Keywords can be:
- ascii art
- line art
- digital art
- oil painting
- one-line drawing
 |
| an old man and a dog walking along beach, oil painting |
Links:
Dec 3, 2022
5 Experimental Flags in Microsoft Edge
Goto edge://flags at URL bar, and enable the following:
1. Enhance text contrast
edge://flags/#edge-enhance-text-contrast
2. Show block option in autoplay settings
edge://flags/#edge-autoplay-user-setting-block-option
3. Show Windows 11 visual effects in the title bar and toolbar
edge://flags/#edge-visual-rejuv-mica
4. Assigns the Backspace key to go back a page
edge://flags/#edge-backspace-key-navigate-page-back
5. Rounded tabs
edge://flags/#edge-visual-rejuv-rounded-tabs
Links:
Dec 1, 2022
Simulate Linux's SUDO in PowerShell
Tags:
powershell,
sudo
To start a notepad.exe process as normal user:
c:\> notepad.exe
To start a notepad.exe process as normal user with PowerShell:
PS> Start-Process notepad
To open a file as Administrator with PowerShell:
Start-Process 'notepad' -Verb runAs -ArgumentList c:\windows\system32\drivers\etc\hosts
To simulate 'sudo' with PowerShell Cmdlet
-----------8<------------------
function sudo
{
if ($args.Count -gt 0)
{
$lastIndex = $args.Count-1
$programName = $args[0]
if ($args.Count -gt 1)
{
$programArgs = $args[1 .. $lastIndex]
}
Start-Process $programName -Verb runAs -ArgumentList $programArgs
}
else
{
if ($env:WT_SESSION) {
Start-Process "wt.exe" -Verb runAs
}
elseif ($PSVersionTable.PSEdition -eq 'Core')
{
Start-Process "$PSHOME\pwsh.exe" -Verb runAs
}
elseif ($PSVersionTable.PSEdition -eq 'Desktop')
{
Start-Process "$PSHOME\powershell.exe" -Verb runAs
}
}
}
Set-Alias -Name su -Value sudo
-----------8<------------------
To use the cmdlet:
PS> sudo notepad c:\windows\system32\drivers\etc\hosts
Links:
Subscribe to:
Posts (Atom)