Tagged under: Linux, Windows, OsX, Firefox, Chrome, IE, Content Security Policy, CSP, HTTPS, Public Key Pinning, HPKP, Subresource Integrity, and SRI
Posted on 16 Feb 2018
The following are covered in this video by Scott Helme and this is a textual overview of what he covers, just for future reference.
The CSP allows for resource control of a webpage. It is possible to set policies that provide a white-list of the domains/loactions where content for the page can be loaded from, this is useful in mitigating the use of cross server scripting attacks and other malicious external content from being loaded.
Public Key Pinning is a very simple way to decrease the risk of man in the middle attacks (MITM) performed with forged certificates.
It’s possible that a certificate authority could produce a valid certifcate to a malicious user that can be used to present a secure and authorised connection, while be controlled by an attacker.
HPKP stores a hash of the real certifcate on the website, if the hash doesn’t match the one being presented when the page loads, the webpage will fail to load and inform the user there’s a security issue with the website.
Through the way in which HPKP works, it’s possible that if a browser were to load the malicious site first, then the legitimate website will no longer function as the HPKP is stored in the browser from first use. It is also very easy to lock yourself out of a website through incorrect set-up, and as such it is very important to test and set up the HPKP carefully before deployment.
Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"]
Example from mozilla:
Public-Key-Pins:
pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=";
pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=";
max-age=5184000; includeSubDomains;
report-uri="https://www.example.org/hpkp-report"
Subresource Integrity is described below;
SRI is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched file must match.
In modern web development the use of content delivery networks (CDN) opens up a very appealing vector of attack for hackers and can open up a vulnerbailtiy to any website using them. To midigate this risk using SRI to ensure that the content provided by the CDN has not been altered or tampered with. Using this SRI hash tool it’s possible to generate a hash (of known safe content), now anytime a browser attempts to load content from the CDN the hash of the content will be compared to the hash stored on the webpage.
To use SRI two more parameters are used in the script tag, they are the following;
integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA="
crossorigin="anonymous"
crossorigin
should almost always be anonymous.
integrity
is the hash of the content.
If the CSP is set to require-sri-for script style
then any script or style tags that do not include the above will no longer load.
Tagged under: Personal, ZSH, Open, xdg-open, Linux, Windows, and OsX
Posted on 05 Apr 2017
To open the current directory of the terminal in Mac or Windows is as simple as typing open .
, essentially open here, nice and simple.
Things are a little less straight forward, due to the plethora of various desktop environments and file managers things can’t be as simple as the above, you’d instead need to specify your chosen file manager and well…. that’s effort, especially if you work over various linux environments.
But I had a cunning plan! Why not set an alias for your environment be able to use open .
in place of neautlous .
?
In looking into this though I discovered an even neater way of achieving this using xdg-open
. Your preference for your file manager can be
set in xdg and by setting an alias for open="xdg-open "
I can now use open .
to my hearts content. Even better it will still allow opening
any directory passed to open as it’s still essentially xdg-open
but shorter.
Tagged under: Lombok, intellij, and Java
Posted on 10 Feb 2017
Lombok is used to reduce the amount of code that needs to be written, by using annotations Lombok is able to generate lots of boiler plate code quickly and easily. Not only is this useful for speeding up development but it also reduces the risk of mistakes and typos throughout the code as well as making it more readable.
There are few steps however to get Lombok working in intellij:
Step 1 - Adding the plugin
Adding the plugin into intellij is very straight forward simply open the preferences window and navigate to plugins; search for the lombok plugin and install it. Intellij needs to restart for it to be added.
Step 2 - Allow processing of annotations
Now the Lombok plugin is added processing of the annotations needs to be handled. In the preferences window again navigate to Build, Execution, Deployment -> Compiler -> Annotations Processor (in the sidebar) and now check the box to enable annotation processing.
Step 3 - Ensure that Lombok is a dependency
Last step is to ensure Lombok is in the maven dependencies add the following to the pom file:
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.16.6</version>
<scope>provided</scope>
</dependency>
Set the version to whatever is needed, in my case it’s 1.16.6.
Read MoreTagged under: Mosh, Linux, PC, Ubuntu, and Cygwin
Posted on 07 Feb 2017
This is going to be a very short post because it’s about something that made me think…
Why the hell didn’t I know about this sooner!?
SSH is great especially when using it with Key authentication, nice and secure without any hassle. That is until there’s a drop in internet connection, you change between Wi-Fi access points or you just want to close your laptop and pick up where you left off. In all of these cases SSH will stop working and just not tell you!
Here’s where Mosh comes in, it appears to run on everything under the sun (or at least anything SSH runs on) and it’s use is nearly identical to that of SSH with the command being: mosh me@server.com
in place of ssh me@server.com
.
It’s secure as it utilises a lot of existing SSH security including Key-authentication and it solves the issues of losing an SSH connection.
Just follow one of the many installation instructions on the home page and remember to allow a port between 60001 and 60999 and that’s it.
Read MoreTagged under: VPS, Uni, Linux, PC, Ubuntu, Mail-in-a-box, and MIAB
Posted on 26 Jan 2017
After seeing this website it really got me thinking of my personal privacy and the amount of information being tracked and used against me, especially advertisements that would show in Facebook after reading about similar content on a different website.
I saw that it was possible to roll your own mailbox and it was made simple by mail-in-a-box, so I got my geek on and 48 hours later I finally have something that works!
I checked out the competition for a few VPS providers and ended up using scaleway due to their low pricing and excellent systems available at such a low price. One VPS with a dual-core 64bit processor, 2GB of RAM and 50GB SSD storage for a pleasant €2.99 (around £2.50) a month and I was off, server creation was simple and quick and I had my own Ubuntu instance running soon enough.
The URL was a tricky one, I’ve been caught out buying domains and web hosting from go-daddy and domain.com in the past, they have plenty of offers and discounts on the domain name itself but they sting you with a bunch of payments after. I opted for gandi, not the prettiest of sites (especially for a web servicing company) but the prices were reasonable and worked out cheaper in the end!
I bought my aworley.uk domain for €9.60 (£8.15) and so all together for a year it’s going to cost £38.15 which sounds a lot worse than £3.18 a month, or not buying a muffin and coffee a month with change!
The tutorial video on the website is actually very thorough and useful unfortunately I had an issue with a packaging not found
error. Long story short and a lot of wasted time follow the steps here and re-run the installation and all will work just fine. Update v0.21c fixes the packaging error.
A lot of the DNS stuff takes a long time to ripple through the servers so things will probably not work for a bit (30 minutes-hours) There will probably be the odd error flagged on the admin page, just wait and they should resolve themselves given time.
Read MoreTagged under: OSx, Mac, Arch, C++, Uni, Linux, PC, and Windows
Posted on 13 Jan 2017
So deciding to take the plunge and install arch onto my mac has been… time consuming. I’m now at a stage I’m fairly happy with (Wi-Fi and eduroam still don’t get along).
For the most part following this tutorial worked for me. Only real deviation was the packages to be installed once the base install had been laid down. Another issue is the Wi-Fi; due to the chip being a broadcom chip it didn’t work out of the box and so needed a bit of work which leads onto…
Setting up yaourt, just follow the tutorial here for all of the instructions. To use yaourt is not really any different from pacman, just use yaourt -S and the package to be installed.
The first aur package to grab is the b43-firmware not the b43-fwcutter which is for extracting the drivers from the original driver file.
The touchpad works perfectly out of the box in gnome, in KDE however the righ-click was not working. Follow the instructions here on how to change the mtrack file and enable right-click.
There are several ways to set-up PIA the one I opted for is to install the aur as described here and then start it on boot using this guide. This is not the best method as it will always connect to the same server and there is no simple way to disconnect or connect to an alternative, but it does start the fastest which is nice.
The arch wiki has a lot of useful information so anything that has been missed can be found relatively easily. The macbook specific page is here.
Either due to hardware limitations or closed source drivers the following don’t work 100%:
Bluetooth: Following the instructions outlined, bluetooth devices can connect however audio is glitchy and will disconnect after only a couple of minutes. File transfers have been untested.
Suspend on laptop close: As the nvidia driver is required for smooth video and to use android studio the suspend on laptop close doesn’t work; this is due to the driver not reporting the number of monitors connected, as the laptop may be docked and someone might want to close the laptop and work on an external monitor the default behaviour is to leave the laptop on and changing the config file doesn’t appear to have any affect.
Tagged under: OSx, Mac, OpenGL, C++, and Uni
Posted on 09 Mar 2015
For the past few weeks we have been faced with the fubar way that OSx deals with OpenGL, trying to get a basic game running on at least OpenGL 3.0. With the ballsed up documentation and complete misunderstanding on multiple forums of how to implement this; with most tutorials forcing you to use Xcode and using massively deprecated versions of OpenGL.
In the end it turned out to be a simple matter of changing the include in the header files from GL/GL.h to OpenGL/gl3.h. So I really hope that this is easier to find than the soloution that we found.
Read MoreTagged under: Personal
Posted on 08 Mar 2015
So here it is, my first blog post… isn’t it hideous and awkward? Well I’m sure it will only get worse.
I hope to write the occasional post, usually about stuff that I will probably want to look back on in the future to;
Do be prepared for some rather interesting typos aswell (snes = sense, not the game console from the 90’s by the way).
So I currently study Computer Science (Games) at the university of Brighton and I am rather a ‘Jack of all trades, master of none’ kind of guy; with my interest in computer sciences, computers, and science in gerneal. From the microscopic to the macroscopic, I’ve always found there is something interesting to be found. As such, I may even include some tid bits from here and there, such as this! It’s amazing that the duality of light (or more technically, electromagnetic energy) has now been seen to be acting as both a wave and particle in a single experiment.
Media is another one of my interests, with a keen interest in photography, filmography and design (Can’t say I’m good at any), I enjoy working in photoshop and watching youtube channels such as Film Riot and Video Co-pilot to see the techniques used in the profession.
Well quite simply, I’m not very imaginative, just my name backwards and the first auto suggested name of just ‘mada’, was already taken and so mada360 it was, from then on it stuck with me.
Read More