-
Links
FLAIR
Categories
- angularjs (3)
- ant (1)
- apache (4)
- aws (1)
- cacti (1)
- CSS (2)
- databases (8)
- Design (4)
- facebook (1)
- git (3)
- google (8)
- hg (4)
- Ionic (1)
- linkspam (10)
- linux (25)
- logstash (1)
- marketing (6)
- mysql (13)
- netflix (1)
- nosql (2)
- php (36)
- phpunit (3)
- programming (43)
- purdy (12)
- rant (26)
- security (22)
- servers (39)
- testing (3)
- tools (16)
- Uncategorized (6)
- windows (5)
- wordpress (1)
- zend studio (2)
Archives
- June 2015 (3)
- May 2015 (3)
- April 2015 (6)
- March 2015 (5)
- May 2014 (1)
- April 2014 (1)
- March 2014 (1)
- August 2013 (1)
- July 2013 (1)
- May 2013 (1)
- April 2013 (1)
- March 2013 (1)
- February 2013 (1)
- November 2012 (1)
- October 2012 (2)
- September 2012 (1)
- August 2012 (2)
- July 2012 (5)
- June 2012 (4)
- May 2012 (5)
- April 2012 (2)
- March 2012 (1)
- February 2012 (1)
- January 2012 (3)
- December 2011 (3)
- November 2011 (2)
- September 2011 (5)
- August 2011 (4)
- July 2011 (4)
- June 2011 (4)
- May 2011 (4)
- April 2011 (3)
- March 2011 (4)
- February 2011 (3)
- January 2011 (3)
- December 2010 (2)
- August 2010 (1)
- July 2010 (1)
- June 2010 (1)
- April 2010 (4)
- March 2010 (7)
- January 2010 (1)
- October 2009 (2)
- August 2009 (8)
- July 2009 (1)
- June 2009 (9)
- May 2009 (2)
- April 2009 (1)
- June 2008 (1)
security Archive
Securing Elasticsearch – Part 1
The most frequently asked question for ElasticSearch and security is "how do I require login"?
Once you've answered and implemented the answer to that question; a larger, truly more troublesome issue looms. The same principals used to secure ElasticSearch; typically a proxy fronted by Apache/nginx use various auth techniques. If you...
Read More Why are we spending so much time refuting?
There's a nice juicy war going on in the 'data / web' sector, that seems more heated than I can remember.
It essentially boils down to sensationalist claims from the likes of MongoDB and MemSQL, which in turn draw refuting remarks from industry professionals that are typically embedded with RDBMS technologies.
The...
Read More Worthy of distribution: Your cell phone records
This is just too cool, and too perfect a testament for how you can derive a lot through data and social networking.Via the F-Secure labs blog: http://www.zeit.de/datenschutz/malte-spitz-data-retentionShows an extremely well put together example of combining a tidbit of privileged information with social networking and how this truly is a brave...
Read More On MySQL: The latest, far-reaching password circumvention
By now, everyone has, or will be hearing about this issue.
While it's an extremely simple hack and covers (dare I say the majority) of MySQL installation version. Let's not forget to finish reading the entire disclosure:
From the disclosure:
But practically it's better than it looks - many MySQL/MariaDB builds are not...
Read More GitHub hacked, and private repositories
And this is precisely why albeit 'nifty', storing your private/proprietary code in a 'private repository' on the likes of GitHub / Bitbucket is a generally poor idea. - Keeping your code in SCM behind closed doors isn't difficult. I find it very troublesome (annoying) to see how many people can't...
Read More Disable PHP 5.4’s built-in web server, while keeping CLI …
Administrators: Don't get blind-sided by PHP 5.4's CLI web server!I've gone over a similar issue like this before regarding the likes of git/hg. While those are developer tools and are less likely to be present on a production machine.PHP 5.4 is jumping on the bandwagon to include a 'cute' little...
Read More Observations: Google’s new Terms of Service
The new TOS and Privacy Policy documents from Google are a welcome change, reducing 60 individual ones into a standard, global set is a much better idea for understanding's sake. Observation 1:We may review content to determine whether it is illegal or violates our policies, and we may remove...
Read More PHP Vulnerability – DJBX33A – Hash table collisions
Trickling through my RSS feeds this morning was an article with quite the topic "PHP Vulnerability May Halt Millions of Servers".
In a nutshell: A modest size POST to almost all PHP versions in the wild (Sans 5.3.9+) are in danger of an extremely simple DoS.
The vulnerability exploits the PHP internal...
Read More Worthy of distribution: Cloud analogy
This post on Beyond Bandwidth seems to summarize some of my feelings about cloud computing - it's best thought of as an outsourcing task for the most part; Although the benefits of something like an extra DNS server are a bit more than an 'outsource benefit'; but you get the...
Read More Is there a hacking campaign against open source?
Linux.com, kernel.org, mysql(twice this year), wordpress and php have all reported breaches of some sort this year. Is there some sort of campaign against these 'high profile' open source projects? It's starting to feel like it, to me.The more hands you get in the pot, the more nervous you should...
Read More The inherent risks of ‘daemonize’ features in developer tools – Git, Mercurial (hg)
A handful of tools such as mercurial, git, (soon PHP - which chances are will be it's own binary) have their own 'daemonize' functionality.Whatever your reasons - if you want to disable these; there's little to no help in figuring out how... til now...If you want to disable Mercurial's hg...
Read More Kernel.org, linux.com down, still… also, Git! – Updated!
With news breaking about the compromised systems for kernel.org, linux.com, which are sites are "down for maintenance". Completely - and it's been this way for many days now. (Kernel.org since the 28th)I think it's safe to say the range and scope of the issues are pretty disappointing - the longer these...
Read More Worthy of distribution: Reset root MySQL password
Oh snap! Need to reset your mysql root/admin (or any?) MySQL password? Well, you'll need root and control over MySQLd to some extent, but this is worthy of a rainy-day bookmark indeed: http://mysqlpreacher.com/wordpress/2011/03/recovering-a-mysql-root-password-three-solutions/ Subscribe in a reader...
Read More /usr/bin/chage – Sending emails when a pasword expires, or is about to
There's a lot of scripts out there that do this but they either don't revolve around /etc/shadow enough or they're sloppy.Here's my spin on a script for nightly cron that will parse /etc/shadow and send out emails based on the per-user values. It's resistant to garbage dates (99999 'expiration' dates)....
Read More Shortcut to a directory with a bat file and a sub directory containing the same name
Check this out.Make a directory structure like this:DirDir/AnotherDirDir/anotherdir.batFill the .bat file with something creative... (Non destructive)Now, make a shortcut from anywhere to Dir/AnotherDir - lemme guess, it tries to name the shortcut after the bat file? Odd! Rename it in the prompt then. Save your shortcut and try to use...
Read More Amazon AWS – The risk of using a cooked AMI
Straight from the horses mouth; I no longer use this AMI - but the only ones I've used are Debian EBS and SLES ... Fortunately I already went through authorized_keys on the one I do keep around.People take AWS services seriously - but the AMI sharing always set off a...
Read More Apple updater today…
I need music. I spend a lot of time holed up in an office with IM with my peers as my main form of human interaction.For a long time, I've relied on iTunes. Things have changed - I dont want to purchase through iTunes anymore - I don't want DRM'd...
Read More Google profile images, FAIL- Worthy of distribution
Most folks probably don't know that google has updated the user profile pages look'n'feel. Including some changes to profile pictures... Most of us feel somewhat comfortable uploading an image and cropping it using the interface provided to us from sites (Granted, you get what you ask for if you upload...
Read More On: ntp, ntpd. link dump!
So, in order to quickly have a (debian) machine up and running on ntp, you're bound to do something like this 'apt-get install ntp ntpdate'.The problem is that this installs 'ntpd' too. The default configuration is to allow your server to answer to NTP queries from anywhere.If you want to...
Read More Time to be informed!
What would you do if you received a legitimate looking email from your hosting company asking you to OPEN an SMTP relay?That's apparently a new style of spam (to create more spam !) targeting administrators. I'm sure there's a handful of 'admins' who can get by and would more than...
Read More