Posts

Showing posts from 2018

Profitable SaaS Ideas

The way to get profitable startup idea is not to try to think of startup ideas (including SaaS development). It's to look for problems, preferably problems you have yourself.

In fact, for many entrepreneurs, successful business ideas start out as solutions designed to address a challenge they face personally. Solving the problem that frustrates you may be one of the best ways of finding an idea for your startup. Look at these software developers who turned their problem into success.


REFERENCE : TOP SOFTWARE DEVELOPERS SHARED HOW THEY CAME UP WITH PROFITABLE SAAS IDEAS , https://belitsoft.com/php-development-services/saas-ideas-startups

Install fortune & cowsay to give some life to your terminal

I have tested on Centos 7

yum install cowsay.noarch

yum install fortune-mod.x86_64

[root@localhost ~]# vim .bash_profile
Add the following line
fortune | cowsay


Let's try it.


[vicky@localhost ~]$ su - Password: Last login: Fri Aug  3 18:21:46 MUT 2018 on pts/2  ____________________________________ / Be consistent.                     \ |                                    | \ -- Larry Wall in the perl man page /  ------------------------------------         \   ^__^          \  (oo)\_______             (__)\       )\/\                 ||----w |                 ||     || [root@localhost ~]#

You can't add both CNAME and TXT to the same subdomain

I was a bit surprised to learn about this while processing the request of a customer.

Here is the reason why

"If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different. This rule also insures that a cached CNAME can be used without checking with an authoritative server for other RR types."


REFERENCES 

https://stackoverflow.com/questions/34613083/cname-and-txt-record-for-same-subdomain-not-workinghttps://tools.ietf.org/html/rfc1034

Deploy your own mail hosting with Mail-in-a-Box

Mail-in-a-Box lets you become your own mail service provider in a few easy steps. It’s sort of like making your own gmail, but one you control from top to bottom. Technically, Mail-in-a-Box turns a fresh cloud computer into a working mail server. But you don’t need to be a technology expert to set it up. The box also includes: automatic DNS configuration, spam filtering,greylisting, backups to Amazon S3, static website hosting, and free TLS (SSL) certificates from Let’s Encrypt.
Your box can host mail for multiple users and multiple domain names. It implements modern mail protocols (SPFDKIM, and DMARC) and the latest security best practices, including opportunistic TLS, strong ciphers, and HSTS. When enabled, DNSSEC (with DANE TLSA) provides a higher level of protection against active attacks. Exchange ActiveSync is also available as a beta feature. It has web based interface for administration and features RoundCube webmail as client. Really swiit 😊
Check it out !!
Official Website …

What is SELinux

SELinux is a security enhancement to Linux which allows users and administrators more control over access control. Access can be constrained on such variables as which users and applications can access which resources. These resources may take the form of files. Standard Linux access controls, such as file modes (-rwxr-xr-x) are modifiable by the user and the applications which the user runs. Conversely, SELinux access controls are determined by a policy loaded on the system which may not be changed by careless users or misbehaving applications. SELinux also adds finer granularity to access controls. Instead of only being able to specify who can read, write or execute a file, for example, SELinux lets you specify who can unlink, append only, move a file and so on. SELinux allows you to specifby access to many resources other than files as well, such as network resources and interprocess communication (IPC).
Reference: https://selinuxproject.org/page/Main_Page

LINUX - How do I change swap partition

On the fly:

sudo swapoff /dev/hda3
sudo mkswap /dev/hda4
sudo swapon /dev/hda4


For bootime : 
after you have run the mkswap, edit the /etc/fstab file and the change the /dev/hda3 line accordingly.


SOURCE : https://serverfault.com/questions/17718/how-do-i-change-swap-partition-in-linux

Side-channel attack

Image
In computer security, a side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself (e.g. cryptanalysis and software bugs). Timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited.

An attempt to decode RSA ... Key bits using power analysis. The left peak represents the CPU power variations during the step of the algorithmwithout multiplication, the right (broader) peak – step with multiplication, allowing an attacker to read bits 0, 1.

Side-channel attack. (2018, April 27). Retrieved from https://en.m.wikipedia.org/wiki/Side-channel_attack

Public Key Certificates

A public key certificate provides a safe way for an entity to pass on its public key to be used in asymmetric cryptography. The public key certificate avoids the following situation: if Charlie creates his own public key and private key, he can claim that he is Alice and send his public key to Bob. Bob will be able to communicate with Charlie, but Bob will think that he is sending his data to Alice. A public key certificate can be thought of as the digital equivalent of a passport. It is issued by a trusted organization and provides identification for the bearer. A trusted organization that issues public key certificates is known as a certificate authority (CA). The CA can be likened to a notary public. To obtain a certificate from a CA, one must provide proof of identity. When the CA is confident that the applicant represents the organization it says it represents, the CA signs the certificate attesting to the validity of the information contained within the certificate. A public ke…

Raid 5, Raid 1+0 & Raid 0+1

RAID 5
The minimum number of disks in a RAID 5 set is three (two for data and one for parity). The maximum number of drives in a RAID 5 set is in theory unlimited, although your storage array is likely to have built-in limits. However, RAID 5 only protects against a single drive failure.

Cited From : http://www.computerweekly.com/answer/RAID-5-recovery-What-is-the-maximum-number-of-physical-drives-in-a-RAID-5-configuration



RAID 0+1  vs  RAID 1+0

Got a bit of difficulty of understanding and interpreting this ?

Start with the last number it will be easier

RAID 0+1  : Mirror of Stripes (Raid 0)

RAID 0+1 means arrays implemented as RAID 1, whose elements are RAID 0 arrays.


RAID 1+0  : Stripes of Mirrors (Raid 1)

A RAID 1+0 array is implemented as RAID 0, whose elements are RAID 1

You can read more on this here : http://blog.open-e.com/what-are-raid-1-raid-10-and-raid-01/

General Data Protection Regulation (GDPR) requirements, deadlines and facts

Following article cited from www.csoonline.com website

What is the GDPR? GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. The GDPR also regulates the exportation of personal data outside the EU.
And non-compliance could cost companies dearly.
Companies that collect data on citizens in European Union (EU) countries will need to comply with strict new rules around protecting customer data by May 25. The General Data Protection Regulation (GDPR) is expected to set a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply.
The GDPR leaves much to interpretation. It says that companies must provide a “reasonable” level of protection for personal data, for example, but does not define what const…

MySQL - Detect "Too many connections" error and show alternate web page

If you get a Too many connections error when you try to connect to the mysqld server, this means that all available connections are in use by other clients. The number of connections permitted is controlled by the max_connections system variable. The default value is 151 to improve performance when MySQL is used with the Apache Web server. (Previously, the default was 100.) If you need to support more connections, you should set a larger value for this variable.
Solution provided by user Rob Williams:
<?php
$link = mysql_connect("localhost", "mysql_user", "mysql_password");
if (mysql_errno() == 1203) {
// 1203 == ER_TOO_MANY_USER_CONNECTIONS (mysqld_error.h)
header("Location: http://your.site.com/alternate_page.php");
  exit;
}?>
REFERENCE : https://dev.mysql.com/doc/refman/5.5/en/too-many-connections.html

How security audits, vulnerability assessments and penetration tests differ

security audits vs vulnerability assessments vs penetration tests
vulnerability assessment
A vulnerability assessment is a practice used to identify all potential vulnerabilities that could be exploited in an environment. The assessment can be used to evaluate physical security, personnel (testing through social engineeringand such), or system and network security. Most commercial organizations just want their systems and networks assessed. This means an individual or team runs a scanning tool (Internet System Scanner, Heat, Nessus, etc.). These tools identify running services that typically have vulnerabilities that can be exploited, operating system and application identified vulnerabilities, missingpatchesand hotfixes. The result, depending upon the product, is a long list of every computer system by IP address and their associated vulnerabilities and steps on how to "fix" the vulnerabilities. However, just because something is identified as a vulnerability, does not neces…

WEB APPLICATION PENETRATION TESTING

The following is an extract from veracode official website.

When searching for vulnerabilities in websites and web apps, manual web application penetration testing is essential. Automated penetration testing tools simply can’t find every flaw – sometimes, it takes the skill and insight of the manual tester to identify complex authorization issues or business logic flaws. Manual web application penetration testing is most effective and cost-efficient when combined with other scanning technologies. Manual testing on its own can be quite expensive and time-consuming, taking weeks to perform a full penetration test. That’s why, when choosing technologies that can deliver state-of-the-art application security, more leading companies today turn to web app penetration testing solutions from Veracode. With a full complement of testing solutions built on a leading application security platform, Veracode helps organizations to better protect the software that drives business results.
Without be…

AWS - Security and Compliance - shared responsibility model

Image
Overview Security and Compliance is a shared responsibility between AWS and the customer. This shared model can help relieve customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment. As shown in the chart below, this differentiation of responsibility is common…

The Five Universal Laws of Cybersecurity Everyone Should Know

Nick Espinosa, cybersecurity expert at Forbes, created 5 crucial laws that "will forever be the immutable universal constants that govern this topic and our existence in relation to it."

Law No. 1: If There Is A Vulnerability, It Will Be Exploited From sneaking your way out of a tollbooth for free to derailing a nuclear weapon program, finding ways around everything for (for both good and bad) is so ubiquitous today we've have a term for it, life-hacking. Always consider there will always be those people who will try and hack everything. Law No. 2: Everything Is Vulnerable In Some Way We've always assumed our computers are essentially safe and harmless. At the beginning of 2018, it was revealed that for decades these workhorses have been carrying a massive vulnerability that could allow malicious hackers to wreak havoc on all of us. Law No. 3: Humans Trust Even When They Shouldn't Trust is an essential part of the human existence, but it is our greatest weakness in …

The Perl Philosophy

There's more than one way to do it.
Three virtues of a programmerLazinessImpatienceHubris
Share and Enjoy !

How is Docker different from a normal virtual machine?

Image
Docker isn't a virtualization methodology. It relies on other tools that actually implement container-based virtualization or operating system level virtualization.For that, Docker was initially using LXC driver, then moved to libcontainer which is now renamed as runc. Docker primarily focuses on automating the deployment of applications inside application containers. Application containers are designed to package and run a single service, whereas system containers are designed to run multiple processes, like virtual machines. So, Docker is considered as a container management or application deployment tool on containerized systems.

In order to know how it is different from other virtualizations, let's go through virtualization and its types. Then, it would be easier to understand what's the difference there.

Virtualization

In its conceived form, it was considered a method of logically dividing mainframes to allow multiple applications to run simultaneously. However, the sc…

Security is a Process, not a Product

Image

The Process of Security by Bruce Schneier

https://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html

SIEM - Activating Defense through Response by Ankur Vats

https://fr.slideshare.net/OWASPdelhi/siem-slide?next_slideshow=1

Application Level Denial of Service – A Comprehensive Guide

Denial of Service attacks that bring down popular websites often involve thousands of hacked consumer devices and servers. While these attacks mainly aim to overwhelm the target system with traffic, in order to deny service to legitimate users, bugs at the Application Layer (Layer 7 in the OSI model) can have the same effect. Application Level Denial of Service (L7 DoS) errors are often tough to identify and sometimes even tougher to prevent. This guide aims to highlight the different techniques that will help you find out what to look for and where DoS conditions may occur.Table of ContentRandom Access Memory (RAM)RecursionRecursive File InclusionZip BombsBillion Laughs AttackTricking an Application Into Allocating a Huge Amount of MemoryDeserialization VulnerabilitiesManipulating File Headers to Allocate Large Memory ChunksOtherReading Infinite Data Streams <