Fixing Encoding Issues In jQuery Fullcalendar.js Event URL

Standard

The Encoding Issue

I was using PHP to run json_encode on an array to feed to Fullcalendar.js. This worked flawlessley, until I realized one of the attributes, url was encoded wrong. It was rendering a WP Admin url with & instead of &.

The Fix

There is a callback in the plugin called eventRender. This is called during the rendering of the event. To fix the encoding, what we could do is the following:

This trick grabs the existing URL href and sets the elements new href to the fixed url using replace.

Enjoy.

Autorun for PHP – The PHP Developers Assistant

Untitled-1
Standard

Autorun for PHP

Here is a quick python script that listens for file modifications recursively. If a file change is found, the file you specified will execute. The purpose was to alleviate the headache of programming PHP and having to switch contexts between a terminal and your editor to execute your code.

Usage:

Here are some quick steps to use Autorun. You must have git installed and a python runtime.

Setup the daemon:

Run the daemon:

<file> should be the PHP file you wish to execute, such as index.php or a bootstrap file.

If you omit <path> then it will use your current directory (.). Otherwise, it will listen recursively for file changes in the path you supply.

Example:

You can file the whole package on GitHub.

Enjoy.

Protecting WordPress Plugins with nonce

Standard

Cross Site Request Forgeries

A Cross-Site Request Forgery is a type of malicious activity that can occur while surfing the web. It uses a user trusted website/domain to trick the user into clicking a link or supplying data which could be used to formulate a URL that executes some kind of action. If you take a look at the OWASP (Open Web Application Security Project) page for CSRF’s they give some good examples as to some of the ways they exist.

In WordPress land, CSRF’s can do things like allow an attacker to hijack certain plugin actions, execute commands like delete all posts, add a new user, and some other possibly dangerous things.

Protecting Yourself

A CRSF token creates a one-time-use token, that would be very close to impossible to guess, and is sent with the request. Once the request is sent to the server, it is validated, and confirmed. If it fails, you can display a message or log application details for research.

For the longest time, WordPress was known as a hackers playground and had a reputation of laughter in the security community. Luckily, they are turning around and supplying some helper functions like, wp_*_nonce, which is a family of commands that create and validate nonce keys, or CSRF Tokens.

Using nonce in WordPress

As we explained earlier, there are two steps to using a CSRF token, the creation and verification. Once you create the token, you would append it as, most commonly, a hidden attribute in your <form></form>. This key would be sent with your POST request.

Inside of your POST action target, check to make sure the nonce was supplied:

Enjoy.

Creating a Responsive Shell

Standard

Responsive Shell, Oh My!

One of the biggest web trends over the past 3 years has been responsive designs. This is where the width of your device dictates the layout of your website. This allows you to support 1 design, but let it dynamically adapt from mobile device to tablets to full blown desktop browsers.

Well, what about terminal shells? I spend the majority of my day in a shell, and using a tool like Spectacle, the width of my terminal changes every few minutes. I thought to myself how I could take the idea of responsive web and deploy it to my terminal.

For the interested, you can check out my .dotfiles.

Where To Start

We’re going to do this quickly and efficiently using tput. This would still be possible without tput, which became public domain back in 1986, but you would not get cross-environment support. tput allows you to query and change certain terminal capabilities. If your environment doesn’t support it, you are seriously in need of a new box.

The command we are specifically interested in at the moment is tput cols. This command returns the width of the current terminal window. Using the response, we can formulate our PS1 based on different widths.

Example

Below, we take the ideas from above and put some bash around it:

Making It Responsive

Just detecting the width does not mean it’s responsive. What responsive really means is, when you change the window size, it adjusts automatically. By just using the code above, you would have to reload bash or source your .bashrc/.bash_profile files to get the change. But this would be annoying, so how do we fix this?

We can use the PROMPT_COMMAND environment variable to assign a function to the prompt. How would one do this you may be asking?

What this does is execute the prompt() function everytime you enter

Gotcha’s

So one of the biggest gotcha’s with this method is that, SCP and certain SSH methods don’t use interactive shells. This means the tty environment will not be set how you expect. As a result, tput will error out.

To get around this, you can do a check to make sure a tty exists, by using:

Enjoy.

Quickest Way To Query Mac Serial Numbers

post
Standard

To Long, Didn’t Read

The quickest way to query OS X for a hardware serial number:

Querying Serial Numbers

I have been working on a project called Titan, which is a hardening solution written in Python for Mac OS X. It was based off of MIDAS and Tripyarn which was graciously given to the Open-Source Community by the security teams over at Etsy and Facebook.

One of the best identifiers to use in Titan is the hardware serial number. This is found by looking at the Copyright notice on the bottom side of most Apple devices. Luckily, we can also query this using some awesome cli commands.

One of the things I love about Apple (but don’t call me a fanboy) is their dedication to developers. They have given us many commands, which I will not get into within this post but rather just show you the quickest way to query a serial number for your Mac.

She’s Going For Distance

The first way to grab the serial number through the cli would be with the system_profiler command. System Profiler will grab a bunch of stats from different data classes on your Mac and organize it for you. You can even export it to XML. This is the source that I suspect ohai and facter for OS X generate their statistics.

The Serial Number is located inside of the SPHardwareDataType:

We are going to be extracting the line Serial Number (system). To do this with bash, use:

If we can prefix this with time, we can benchmark how long it takes to run this command:

He’s Going For Speed

The next command is ioreg. This thing is beast. I haven’t messed around with it too much, but I have found it to be useful when data mining things off our devices. We can also specify what class of data we want returned to help optimize this, so a command like ioreg -c IOPlatformExpertDevice would narrow it down.

To extract the serial number, you can use some command line foo and execute:

Now, let’s measure the performance like we did with the system_profiler command:

This is a HUGE performance increase!

Optimize This More!

Guess, what? We can! By reducing the lines of code output by ioreg we can squeeze even more subsecond time out of this command:

If you look, we are within the tenths of a second for querying the serial number. Now that is a fast way to pull this!

Update: 2014/06/13

Some people were posting that there is a difference in the serial number output, that the ioreg command has " around the response. They were right. To trim this, we can pipe to sed -e s/\"//g. And guess what, still the fastest.

One-Liner: Using Non Antialiased Fonts In Sublime Text

Screen Shot 2014-06-29 at 6.21.17 PM
Standard

Sublime Text Antialiasing

I use vim for most of my editing needs. Once in the while when I need a GUI editor, I use Sublime Text 3. One of the things that bothers me the most when using Sublime Text vs vim is the antialiasing of font’s. They look crazy dumb clunky and bulky.

If you want to disable Antialiasing for Sublime Text 2/3 fonts, add the following to your Settings - User preferences file.

Barnyard2 MySQL Alert View for Snort

snort
Standard

Barnyard2 Alert View for Snort

I’ve been working on a Snort project recently and started logging alerts to a MySQL database. The Barnyard2 MySQL schema is great and effective, but since I don’t have time in my sprints to rewrite the tool in a way that would work best for me, I just tossed together a quick view. This way, a simple Sinatra ruby app can use active record to pull the data is a simple query rather than a million joins in your app’s source code:

The SQL

Because I only wanted 1 query for both TCP and UDP/Other, I left join both of the tables and if it’s TCP I will output the data, else null. Some of the columns may not be the best named, as that’s the downside to rapid development.

You will also get a column of sensor_encoding which will tell you how to decode the payload column. Leave this out of the MySQL query to speed it up, especially if you are pushing as many packets as we are.

Enjoy.

STOW: #1 – Password Management

Screenshot 2014-05-17 22.40.04
Standard

Security Tip of the Week

In recent weeks, the web has been under immense scrutiny after several large companies experienced security-related events and username and passwords were compromised. One of the only benefits of this happening is the resulting conversation related to review password strength policies and poor password practices. Below, you can find a few good tips to help protect your accounts while giving you some guidance on choosing a good password.

1. Size Does Matter

The Problem: There are 26 letters in the English alphabet. That is a total of 52 if you count uppercase and lowercase. Add the 10 digits and you’re at 62. Some simple math could show that your 4 character password would be revealed in 14,776,336 iterations. That password would be cracked in 1.7 days at 100 guesses/second (if it’s not already in a wordlist). Adding just one character in length to 6 increases that to 916,132,832 total combinations.

Suggestion: Give your password some Hi-T and extend it. The longer, the better.

2. Potty Mouth

The Problem: Adding obseneties like f*ck and sh!t to your password may seem like a good idea, but it’s more outplayed than Lady Gaga. These phrases commonly litter dictionaries and wordlists.

Suggestion: Put soap in your mouth and clean up your passwords. Creating a password on curse words will not make you cool or secure.

email,

3. Love/Hate Relationship

The Problem: Some folks add parts of the url they are visiting into the password. Good idea? If you want to remember your password, maybe, but remember this helps attackers remember your password too. Wan’t to take a guess at what the number 1 password was on LinkedIn after their accounts got breached? If you guessed link, you’re absolutely correct!

Suggestion: Don’t make this newby mistake. Social engineering is one of the most common ways passwords are guessed and accounts are hijacked.

4. Separation of Church and Site

The Problem: Many web users make references to religion to help remember passwords and also reinforce their loyalty to their face. Unfortunately, this is a horrible idea. Hackers, crackers and attackers use this assumption to target keywords like jesus, bible, faith, god and more.

Suggestion: Make like R.E.M. and lose your religion from your password.

5. One Ah-ah-ah, Two ah-ah-ah…

The Problem: The most common password on the web next to password is 123456. You might think from rule 1, that it’s 6 digits long, so it would take a bit longer to crack, right? WRONG! Using incrementing letters, numbers and even that fancy trick of going up one row and down another while holding shift on your keyboard is less than a good idea, and already existing in wordlist’s and hashing dictionaries known as rainbow tables.

Suggestion: If you are experiencing creative block coming up with a password, try thinking of a pattern, like playing a song on the piano. Example, Chopsticks could look like DJglZnXm.

6. Hello, My name is: _________

The Problem: If you don’t follow this rule, we need to stick a big FAIL stamp on your forehead. Never, EVER, use a name, birthday, social security number, address or any other personally identifiable information of yourself or a loved one. In most username and password compromises, personal information like addresses, emails, first name, last name, social security numbers and credit card information are also compromised. This is a HUGE problem if your password is based on one of those items.

Suggestion: Be creative. What was the name of your 2nd grade lunch aid? Use that instead. I doubt anyone else will know.

7. Honey, have you seen my password?

The Problem: Sharing passwords with partners and spouses may be cute, and sometimes necessary. You should take all available routes to limit this as much as possible as the more times your password is used, the more attack-area it is exposed to. There will be much more nagging if your credit card details are stolen than if you don’t share a password.

Suggestion: Use a password manager to help organize your life. Dash-lane, 1Password and LastPass are all highly recommended by multiple users.

8. What’s The Password?

The Problem: Passwords, passcodes and passphrases have been used interchangeably for thousands of years, but some companies fight to make sure their employee knows which one it is. Problem is, you let the hacker know too. A password implies the use of alphabet characters, passcode implies use of integers or digits, and passphrase implies a discontiguous grouping of words in sentence structure. Your company should not be focusing on disclosing which type of credentials are required as they should be educating their employees on the application/utility and the importance of security.

Suggestion: Don’t give up a level of obfuscation when designing an application for the sake of simplifying things for end-users. They will be much more upset if their information is compromised than needing to remember the format of a password.


So, What is the ultimate password?

Passwords CAN be secure. It’s just that we as a society have gotten into the habit of making things easy to remember in our hectic lives, we sacrifice security for accessibility. Don’t make this mistake. Ask yourself some random questions that are pertinent to YOUR life, no one else’s like below:

  • Do you have blue eyes?

  • Who makes your favorite pair of pants?

  • How many millimeters of tread are left on your tires?

  • What was your hourly or salary rate at the age of 19?

  • How long is your commute to school or work minus the age you had your first kiss?

I was surprised at how many other people were using the same password as me when I scanned a few dictionaries from other compromises like Netflix, Spotify, Facebook and Adobe. Mine was completely random, created by a password generator and was 10 characters long, had alpha-numeric digits, 3 special characters and a mixture of upper and lower cases. This worried me, a lot.

Suggestion: Mix things up. Take things that are relevant in life, and obfuscate it. That is, start with a base password and instead of writing the number 1, write one. Instead of using the letter o(oh), use a zero, 0. Switch out lower case L and i or 1 since many fonts display them the same. Here are a few examples:

Before keywords:

After secure password:

Why is this password good?

That password is 19 characters long, with 95 possibilities for each character. That would be a total of 3.77353602535308e37 combinations to successfully guess. If you had a machine capable of 100,000 guesses a second, it would take 11,957,614,000,000,000,000,000,000 years to crack.

Be adventurous, toss an Emoji in there!

Just remember, don’t use the same password on more than 1 site.

Enjoy.

One-Liner: Get Processor Counts

Standard

Processor Counts

When you’re writing configurations for services like PHP-FPM or nginx, you need to know how many processes are available. One example is the worker_processes setting in nginx.conf. As you may not be deploying your configuration on similar hardware, it can become cumbersome to manually grab this information for each server. This can be even more of a headache if you manage your configs with Chef or Puppet.

The Command

Most distributions of Linux will have a /proc/cpuinfo file which contains details on the available setup. Well, we can take this output and grep for processor, as every core available will be listed in the output, and then we grab a line count of the results from grep:

You can wrap this with $() to toss the result into a Bash variable for use in other scripts.

Output of /proc/cpuinfo for those curious: