I’ll start with I am not a developer. I can script, and have been known to dabble in batch files, Pascal (remember that?) Visual Basic, VBS, PowerShell, C++, C# and Python, and using scripts I’ve been able to cobble up some amazing tools for myself and teams I’ve worked in. I’ve even attached nice looking GUI’s on my PowerShell scripts at times with MahApps or the lesser looking WinForms. These tools have only really been useful on the machine thats been running them.
I want to talk today about EXIF data and just how much of a double sword it can be depending on your use case. With todays modern technology it seems that every picture you take wants to have its geolocation information added to it if its connected to a GPS somehow, and if your camera just happens to be a mobile phone then this might just be happening. Take the following picture I took as an example:
In the previous article I covered all the steps and code that was required so that I can add a contact form with a reCaptcha on this very blog. These are the actual implementation steps I took to include them. Don’t worry the hard part has been done in part 1! Create contact form Using the client side HTML code I created the /content/contact.html file ensuring that I included the correct API Gateway URL’s for the post requests and the reCaptcha site key.
“You need to add reCaptcha to your webforms” - Its advice I’ve given out to security teams each time I see a malicious link or some spam pusher in the resulting email. Its the poor user who cops the brunt of them, increasing the chance of a click, increasing that chance of compromise. Reading through formspam is just a waste of time for everyone. I recall an instance where an internal securiy team miscofigured a tool they were using, set it to run overnight and that mailbox ended up with 35k+ emails in it.
In my last post, after updating the blog to use TLS1.2 and adding a CAA record thinking I would clear an A+ rating, I only retained an A rating. In this post I continue the journey striving for that A+ rating. Enabling HSTS It turns out that Mozilla observatory has a test you can also run, one that looks to be way stricter and they were not as impressed giving my site an F rating with a score of zero!
When it comes to your website, whats better than an A on your Qualys report? Why it has to be that A+! It might not seem like a big deal, but I still wanted to max out my score where I could. Little did I know I was about to get an education in the process. The Qualys SSL labs tester can be accessed via this URL https://www.ssllabs.com/ssltest/analyze.html. My initial report came back as follows:
Last month in AWS saw me rack up a bill of US$0.86 and with the terrible US/AUD exchange rate I’m out of pocket a whole AUD$1.30. As im playing around with new technology and integrating various services that AWS provides, I touched a few services this month, and discovered I should probably decommission services I’m not actually using anymore. No surpise to me that I excceded the free tier limits for S3.
This is a project that I have wanted to get working for some time now, but everytime I tried it, it failed on me. There was always some dependency error or some random obscure error. I’ve used url2png.com in the past to capture screenshots of malicious and unknown websites, and while I have scripts that replicate this functionality via PowerShell, I’m not comfortable running that script on a production machine at work.
This post I want to talk about how easy Hugo Shortcodes are to use and I’m totally kicking myself for not trying them out sooner! I have a number of blog posts that have turned into a blog series and I wanted to have some kind of Table of Contents or reference in them and doing this manually each time, for every post just wasn’t sustainable. If I wanted to make a minor change, then every post would need updating, and there would be all this extra markdown in the post.
Time poor. Always time poor. If theres any way I can achieve 2 things at the same time, then I’m going to take that option. Call it doing more with less if you will. Listening to a podcast or watching some training videos while exercising on a treadmill meets this need for me. There is only 1 problem with that, I have a monitor mounted on the wall above my treadmill and my computer is too far away to connect into it.
Warning - Dragons ahead The following post is for educational purposes only. The Lazagne project is a Python based tool that will attempt to extract username and password details from various applications on your Windows, Linux and Mac systems. As such, it would be considered a hacking tool. Portions of this tool have been adapted for use in the Qealler Malware. I decided that i’d run up a test Windows Virtual machine to run this against but can confirm that the tool works equally as well in Linux.
I’ve been listening to some podcasts of late…. 1200 hours in fact. 50 days worth of pods back to back. Well thats probably been over the course of a few years but you get the drift. I’ll listen to them on my travels to and from work, sometimes when im out walking and other times when I’m having a relax on the couch. My lineup is so full that I listen at chipmunk speed (1.