@ wrote... (11 months, 3 weeks ago)

On Tuesday, December 11, 2018 I received a phising email, redacted version on pastebin.

Thankfully I used a unique password because there it was, in the clear. The unique password showed me that it was for http://osnews.com.

I reached out to them immediately and got a response promptly but it didn't mention anything about disclosure. So I then asked David if he was planning to tell his users about the breach and he replied he would by the end of the week.

Here's a snippet of his response:

The very old custom CMS that OSNews runs on hasn’t been meticulously
updated, and it does appear that someone got ahold of our user data.

On Monday, with still no announcement I sent another email and asked again. David replied he would announce by end of day. Although several content posts have been added in the last week there has still been no announcement of the security breach.

So, after one week, I'm announcing for them.

  • osnews.com has been hacked
  • osnews.com kept user passwords in the clear
  • those email/password tuples are now in the wild

Damn.

Category: tech, Tags: osnews
Comments: 3
@ wrote... (1 year ago)

Sometimes you don't have a favicon.ico or it's not in your staticfiles because you have a single page javascript or you're just tired of seeing 404s in your debug output.

Here's how you can serve up a hard coded icon (or any file really) directly from django.

I got this transparent icon from transparent-favicon.info

wget http://transparent-favicon.info/favicon.ico
base64 favicon.ico

I put this in my main project urls.py but feel free to put wherever.

# project/urls.py

def favicon(request):
    from textwrap import dedent
    from django.http import HttpResponse
    import base64

    icon = """\
    AAABAAEAEBACAAEAAQCwAAAAFgAAACgAAAAQAAAAIAAAAAEAAQAAAAAAgAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAA////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAD//wAA//8AAP//AAD//wAA//8AAP//AAD//wAA//8AAP//AAD/
    /wAA//8AAP//AAD//wAA//8AAP//AAD//wAA"""
    icon = dedent(icon)
    icon = base64.b64decode(icon)

    return HttpResponse(icon, content_type="image/x-icon")

urlpatterns += [
    url(r'^favicon.ico', favicon, name='favicon'),
]
Category: tech, Tags: django
Comments: 0
@ wrote... (1 year, 1 month ago)

I just installed pfSense 2.4.4 on an NVMe drive over IPMI with a (very important!) uefi cdrom drive.

I can also verify that trying to do this with pfSense 2.3 leads to tears and sadness.

Category: tech, Tags: pfsense
Comments: 0
@ wrote... (1 year, 1 month ago)

Prometheus is really good at pulling metrics but it needs help if you want to test if a given host is up with a simple ping.

In this post I'll show you my config that gets a list of hosts from consul (plus some static hosts) and then ping them to monitor if they're up or not.

If a host goes down then fire an alert.

more…

Category: tech, Tags: consul, hashistack, prometheus
Comments: 0
@ wrote... (1 year, 2 months ago)

I thought I learned my lesson years ago but good lord did I over pack for this trip. I think because I was going on a “working vacation” I tricked myself into bringing too many what-ifs and nice-to-haves.

So here's what I brought with a secondary column for should-have-brought.

more…

Category: life, Tags: packing
Comments: 0
@ wrote... (1 year, 7 months ago)

I'm just standing up a full “Hashi Stack” with Consul, Nomad, and Vault so likely lots of future posts.

One part that should have been simple but took lots of trial and error was getting authentication to work to our FreeIPA installation.

Here are the steps required (assumes vault and freeipa already installed and working)…

more…

Category: tech, Tags: hashistack, ldap, vault
Comments: 0
@ wrote... (1 year, 8 months ago)

I thought I understood async programming as I'd written a few non-trivial apps in the past (using Boost ASIO)

Who has two thumbs and suffers from async programming Dunning-Kruger effect? This guy!

So here's the first of hopefully many recipes to make async programming under Python 3.6 a little easier.

more…

Category: tech, Tags: async, python
Comments: 0
@ wrote... (1 year, 8 months ago)

The curl manpage isn't super clear on this, but to read from stdin you need to prepend the dash with a @.

json_producer | curl -d @- -H 'Content-Type: application/json' http://example.com/json_consumer
Category: tech, Tags: linux, shell
Comments: 0
@ wrote... (1 year, 9 months ago)

You should always use the logging module instead of just littering print statements all over your code. You will very quickly thank yourself for taking a bit of extra time.

Having said that, setting up logging is a bit of a pain so here's the pattern I use 90% of the time.

more…

Category: tech, Tags: python
Comments: 0
@ wrote... (1 year, 9 months ago)

Uploading to Minio (or S3) in a script is a bit tricky.

Update: now on GitHub with some Python versions.

#!/bin/bash

# usage: ./minio-upload my-bucket my-file.zip

bucket=$1
file=$2

host=minio.example.com
s3_key='secret key'
s3_secret='secret token'

resource="/${bucket}/${file}"
content_type="application/octet-stream"
date=`date -R`
_signature="PUT\n\n${content_type}\n${date}\n${resource}"
signature=`echo -en ${_signature} | openssl sha1 -hmac ${s3_secret} -binary | base64`

curl -v -X PUT -T "${file}" \
          -H "Host: $host" \
          -H "Date: ${date}" \
          -H "Content-Type: ${content_type}" \
          -H "Authorization: AWS ${s3_key}:${signature}" \
          https://$host${resource}
Category: tech, Tags: linux, python, shell
Comments: 1