Tech Kettle

This 80's book of espionage story still brings attention to modern cybersecurity professionals, and remains surprisingly relevant to today’s world. The book is made up of many easy-to-read short to medium-sized chapters, and things start to get really thrilling around chapter 29. I could be biased here! Through my reading of this thriller, I have distilled a couple of interesting lessons that I felt I had to share. While the protagonist (The author himself) exhibits hands-on experience on Linux and programming, he wasn't an IT specialist by profession, so you will come across some unusual naming like "one-way trap-door software" to refer to hashing algorithm used to store passwords on Unix system. Being a non-fiction book, this is royally a true reference for the history of technology. I learned that treating cancer tumors at the cellular level using atomic particles was already operational during the 80's, and the intercontinental fiber optic cable was also laid...

I have always wanted to share an opinion regarding remote working, in contrast to being present in office, working among peers. An overlooked aspect that remote worker will never benefit from is the instant feedback that corrects his knowledge or makes him learn new one. In office space there are less to no constraint to communicate with co-workers, you don't have to schedule or check for your peer's availability, he is just their in his box or office. In a physical space, we have a wealth of opportunities where interactions between peers bring instant feedback and just-in-time feedback with career experience. These however, are not achievable in a remote virtual work environment. The lack of immediate feedback results in a slowdown in experience development or may bring about questionable qualities in terms of applied knowledge. As matter of fact, office environment remains the natural place for continued education for both technical and soft skills. Professionals don't ...

I was reading an article about cybersecurity strategy and how some principles could be brought on table for a business to hold a stable cybersecurity posture, like having global policy with all its procedures, guidelines and baselines, maintaining a disaster recovery plan for potential cybersecurity incidents and adhering to reknown security frameworks and standards like NIST 800-53a and ISO 27001. In that article there was one principle mentioned however, that doesn't flow nice with the best practices as far as my experience has taught me, that principle is "apply update as soon as it is available... or .. update promptly.." As matter of fact, when we operate critical systems we are so cautious that when an update is available, we set a delay period to observe and inspect potential feedback, so in case a reported bug or misconfiguration was originated by the applied update we would have kept our systems safe until a secure update has been released. A well respected busi...

When running Kobotoolbox on your own server, you probably get shown the message above, however the returned message doesn't always reflect the actual issue. I had tried multiple setup but I was never able to get rid of this message and KBT never started. KBT Docker containers communicate between them using their hostnames, and if you are not using public DNS for Internet access, then you must be using local server, in this case you have to bind localhost names of Docker servers with the local IP address. This can be achieved by adding the following line to /etc/hosts : 127.0.0.1 hostname kc.hostname kf.hostname ee.hostname hostname could be 'kobo.local'. If you access KBT from another machine then you must add the same line with the machine's IP address instead of the loop-back address.

When classified data are disclosed or lost, an organization could experience tremendous unrest that impacts their business, like facing a bad reputation and loss in income. Classified data could be critical or sensitive to a business, but what is the difference between the two ? Sensitive data are meant to be confidential. When sensitive data are disclosed, the competitiveness stance of the business could be weakened or brutally shattered. An organization could also be put liable on a data breach if it hasn't shown due care and due diligence in managing its security. Critical data are meant to ensure availability, in this case when data are lost, the service that relies on it will not be available, in some cases a whole business could be impacted. Critical data can range from configuration files to a set of business data.  

  Threat and vulnerability are two tightly coupled aspects . There is no point to focus on a vulnerability if the threat doesn’t exist, similarly you can’t stress on a threat, if your asset is not concerned with the vulnerability (or weakness).   The question one should ask is “What are the risks to my asset ?” , and to answer this we need to run a whole Business Impact Analysis (BIA), which involves qualitative and quantitative risk assessment. As a general equation:  Risk = Vulnerability x Threat On the basis of the above equation, we can conclude that if an asset has a Vulnerability and that Vulnerability is exposed to a known Threat, then the asset is at Risk.  Now that the two elements exist you need to tackle just one of the two not both, to eliminate the risk. originally posted here

2025 Update: Check a security note below! One way to use a Python variable in an external Javascript is to declare the JS variable in the HTML template through context object, then pass this variable to the external script code : <script type="text/javascript"> js_var_from_dj = "{{ django_var }}" </script> <script src="{% static "js/js_file.js" %}" type="text/javascript"></script>   js_file.js : function functionA(){ // using the variable declared outside this js file inner_js_var = js_var_from_dj ; }   What if  instead of using HTML template to pass the Django context variable, we inject the variable directly into the external Javascript code ?  This is actually possible, the trick here is to to wrap the original JS file in a View, and use that view to render the JS file as a Django template. O ur js_file become : function functionA(){    //using the Django context variable    inner_js_var = {{django_var}} ; ...

I was in charge of managing a dedicated server running Debian 7, the server hosts multiple websites with email service, the server hosts also multiple instances of a critical web application, for a client who is running a business across different regions. That day was a very important day, as the client was expecting his own client to turn up. The client wanted to make a demo on the application and show how they manage some business processes. During that event, I got a phone call claiming client users not able to access the web application, I took the request as usual and started checking the filed issue, few seconds later I got another call about other users not able to access their mailbox, it is then I realized that a very nasty thing is happening and I'm in serious trouble.     I quickly figured out that I have made the worst mistake ever !   That day I was performing usual maintenance tasks on the server, freeing some disk space here and there. However, at some mom...

There is a general misconception that biometrics are inherently more secure than password when used for remote authentication, this is because of the way, the industries are marketing fingerprinting and face recognition for authentication. Biometrics that target general public, like what is integrated on smartphones and other devices, are meant to provide user with convenience not improving security. After all, security is a one thing and convenience is another thing. That being said, with all the advances they get, biometric sensors are still not infallible, as you can check on the video that shows how it is possible to fool Face ID on IPHONE X with 3d printed mask.  While faking or cloning the biometric characteristics is not an easy task, a strong password remains the most reliable medium for remote authentication, this is because some of attack vectors that target biometric authentication systems, are conducted through visually obtainable information, whereas a...