Cyber Security Challenge 2018

This weekend I drove a group of four students from Nelson, on the South Island, to the University of Waikato in Hamilton for the Cyber Security Challenge.

They had a range of speakers who presented various topics ranging from policy statements to something interesting, albeit a bit scary, called mouse-jacking where a hacker can use keylogging to compomise and take over a system through a vulnerability in certain wireless mice on the network.

As more of our lives move online, security needs to be stepped up across the board. This conference encourages people towards that side of the industry and the competition was a blast.

I’ve just started CTF (Capture the Flag) challenges this year after being cajoled by some students. If you’re not familiar, the basic idea behind it is that a vulverability is created in a “walled garden” or “sandbox” environment. You’re job is to find the vulnerability which is accompanied by a digital flag in the form of a string of characters. Sometimes the flag is apparant and sometimes it needs decrypted. In either case, the first team to enter the correct flag into the scoring system gets X number of points depending on difficulty. It’s very competitive and very fun. Getting the flags is a gratifying experience for, I guess, a certain type of person.

Now our Nayland College team wants to create their own CTF challenge which will be a great learning experience for them. I also am keen to get involved and support them.

Flask “Micro-framework” and SQL Alchemy

I’ve not posted in a while, but I’ve still been busy. Lately I’ve been toying with the Flask framework. It claims to be a “micro-framework” that doesn’t prescribe too much and accomodates a more open-ended approach for developers. It does a bit of heavy lifting with routes and templating, but I’ve not had much of a steep learning curve in terms of having to learn the “Flask way of doing things”. Compared to other widely used webDev frameworks like Ruby on Rails or Django, Flask is, at the moment, fairly straightforward to get your head around.

For example, it doesn’t force us to use abstracted data models. You are welcome to do that via extensions such as the awesome SQL Alchemy, but if you want to tie in directly to your database you can install a bit of middleware or, in the case of SQLite, just start writing CRUD methods with your own SQL. SQL Alchemy is well worth checking out though if you’re into freedom of choice and flexibility.


JS Vanilla Fetch API & Bulma CSS

Today I ran through a quick tutorial by Brad Traversy to explore some new Javascript functionality that does something I could only previously do with libraries such as jQuery. We used a JS Vanilla fetch method to request zip code information from a really easy to use open API called Zippopotam.us.

I also got some practice in with Emmet in Visual Studio Code which was a major speed enhancement. I need to explore this further as it made life so much easier creating a DOM and functionality.

Instead of using Bootstrap, we used Bulma CSS framework with Font Awesome for icons which was a breeze.

Go: The Language with the Best Mascot

I want to learn Go just because I like the mascot. How could anyone not respect this little guy? 😛

From Wikipedia:

Go originated as an experiment by Google engineers Robert Griesemer, Rob Pike, and Ken Thompson to design a new programming language that would resolve common criticisms of other languages while maintaining their positive characteristics. The developers envisaged the new language as:

Monitorix System Monitor

I’ve been managing a CentOS 7 server on a VPS since July. There’s an overwhelming amount of information and recommendation for how to configure a server out there. My build is based around Vesta CP and I’m pretty happy with it.

I have been running into issues with PHP7 and PHP5 processes maxing out the 8GB available memory. To solve this problem, my first mission was to explore network monitoring solutions. There are a plethora of things on offer but most were just overkill for my needs. They were also very complex to set up. Fortunately I came across Monitorix which was a simple install and configuration. It gives me all the visuals I need to make sure my VPS is running smoothly. Here’s a graph of my current memory usage over 24 hours.

It may look a bit odd because I run a cron that kills all PHP7 and PHP5 processes every hour as you can see in peaks and valleys above.

[pastacode lang=”bash” manual=”%23!%2Fbin%2Fsh%0Akillall%20php70-cgi%0Akillall%20php-cgi%0Asystemctl%20restart%20mariadb%0A” message=”mowDownHungryProcesses” highlight=”” provider=”manual”/]

This is clearly more of a workaround than a solution. To purge the PHP processes, I’d have to investigate all the memory leaks which are created by content management systems such as this WordPress install you’re looking at now. An old version of Drupal was the worst memory hog out of all of them.

Because this is a low traffic server I can get away with cludges such as the one above. It’s not a long term solution; more of a band-aid, but it keeps my system from maxing out memory and using swap.

To install Monitorix on CentOS 7 & you can use the yum package manager:

[pastacode lang=”bash” manual=”sudo%20yum%20install%20epel-release%0Asudo%20yum%20install%20monitorix” message=”” highlight=”” provider=”manual”/]

It will install a lot of Perl dependencies. When it’s finished you can start the service:

[pastacode lang=”bash” manual=”service%20monitorix%20start” message=”” highlight=”” provider=”manual”/]

It runs, by default, on port 8080 but it can easily be changed in the config file to whatever port you’re happy with.

[pastacode lang=”bash” manual=”vim%20%2Fetc%2Fmonitorix%2Fmonitorix.conf” message=”” highlight=”” provider=”manual”/]

Line 30: port = __________

To see the graphs visit: http://yourdomain.com:8080/monitorix   (or whatever port you’ve set it to).

Portfolio: Tian Ran

Today I grabbed the domain: specialed.space as the old one (eddie.cf) was a free domain with an uncertain future.

I’m gradually starting to move projects into a portfolio of work I’ve done over the last 20 years. At first they’ll just be posts on this blog but I’ll eventually put them into some sort of presentation.

This is a website I made for a vegan Chinese restaurant. It’s a WordPress install with a custom theme based off of a free theme I found while digging around the WordPress theme directory.

tianran.specialed.space

 

GraphQL is a “Better Way”

 

After reading articles purporting the amazingness of GraphQL over RESTful, I decided to explore it with a “getting started” tutorial. It was a breeze to set up on the server side.

The beauty of GraphQL is that it allows the client to specify what data it requires whereas a RESTful API would deliver the entire contents of a table unless a custom endpoint were created and maintained.

It also allows for collation from multiple resources and delivers the results via a tidy JSON object.

My first reaction to hearing about it was that allowing for such specificity would involve learning a new query language. I was wrong. The format is elegant and intuitive. A request looks almost just like the JSON response without the values. Here’s an example of a request:

[pastacode lang=”javascript” manual=”%7B%0A%20%20user1%3A%20user(login%3A%20%22tj%22)%20%7B%0A%20%20%20%20name%0A%20%20%20%20email%0A%20%20%20%20about%0A%20%20%20%20following%0A%20%20%20%20followers%0A%20%20%7D%2C%0A%20%20user2%3A%20user(login%3A%20%22ekendra-nz%22)%20%7B%0A%20%20%20%20name%0A%20%20%20%20email%0A%20%20%20%20about%0A%20%20%20%20following%0A%20%20%20%20followers%0A%20%20%7D%0A%7D” message=”GraphQL Request” highlight=”” provider=”manual”/]

And here is the response. See how the query and response work like a Q and A? How smooth is that?

[pastacode lang=”javascript” manual=”%7B%0A%20%20%22data%22%3A%20%7B%0A%20%20%20%20%22user1%22%3A%20%7B%0A%20%20%20%20%20%20%22name%22%3A%20%22TJ%20Holowaychuk%22%2C%0A%20%20%20%20%20%20%22email%22%3A%20null%2C%0A%20%20%20%20%20%20%22about%22%3A%20%22Founder%20of%20Apex%5Cr%5Cnhttps%3A%2F%2Fapex.sh%5Cr%5Cn%40tjholowaychuk%20on%20Twitter%20%26%20Medium.%22%2C%0A%20%20%20%20%20%20%22following%22%3A%2048%2C%0A%20%20%20%20%20%20%22followers%22%3A%2030215%0A%20%20%20%20%7D%2C%0A%20%20%20%20%22user2%22%3A%20%7B%0A%20%20%20%20%20%20%22name%22%3A%20%22ekendra-nz%22%2C%0A%20%20%20%20%20%20%22email%22%3A%20null%2C%0A%20%20%20%20%20%20%22about%22%3A%20%22PHP%2FJS%20Webdev%22%2C%0A%20%20%20%20%20%20%22following%22%3A%200%2C%0A%20%20%20%20%20%20%22followers%22%3A%200%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D” message=”GraphQL Response” highlight=”” provider=”manual”/]

 

MariaDB + Ruby on Rails

Today we completed the Ruby on Rails official getting started guide blog example to demonstrate CRUD using Maria DB instead of the default sqlite3.

It ran smoothly and gave me the ability to use phpmyadmin to poke around my database. Some issues encountered were that, despite declaring relationships between tables on the model level, by default the database does not show any cascading or auto-delete.  It may well be something that was beyond the scope of a quick start tutorial, or the functionality may not exist at all.

Switching from Sqlite to MariaDB involved two steps:

In the Gemfile, comment out gem ‘sqlite3’ and add a line gem ‘mysql2’

[pastacode lang=”ruby” manual=”%23%20Use%20sqlite3%20as%20the%20database%20for%20Active%20Record%0A%23%20gem%20’sqlite3’%0Agem%20’mysql2′” message=”” highlight=”3″ provider=”manual”/]

In config/database.yml comment out the existing database connections and add this block (replacing it with your MariaDB credentials).

[pastacode lang=”ruby” manual=”development%3A%0A%20%20adapter%3A%20mysql2%0A%20%20encoding%3A%20utf8%0A%20%20database%3A%20yourDatabaseName%0A%20%20pool%3A%205%0A%20%20username%3A%20yourDatabaseUsername%0A%20%20password%3A%20yourDatabasePassword%0A” message=”” highlight=”” provider=”manual”/]

Of course this is only working in the dev environment but you’d only need to define it for production in the same file by replacing development: with production: