Wednesday, April 12, 2023

Thrift Shop Find

The other day while browsing the electronics at Goodwill I found an old calculator for $1. The screen wasn't working correctly but I thought I could fix it. I used the opportunity to dip my toes in the YouTube waters. I present to you Tachyon's first video, enjoy. 


Saturday, February 18, 2023

Throw the Coding Interview into the Trash


Despite nearly every company having coding interviews as part of their hiring process, poor developers get hired. Somehow having people write code from college exams in web-based IDEs while a clock is ticking is failing the industry. The reason for that is that it doesn't resemble the everyday reality of a software developer. 

Writing code is such a small part of development having a candidate to do it in a game show environment isn't going to provide much helpful information. Ask a software development what they do all day long and typing code into an IDE would probably be less than 15% of their job. A good developer has been able to look at a code base that he hasn't written, gain a working knowledge of what it does and how it does it, and somehow make a change without breaking everything. 

I don't have any official data but I am willing to bet that 99% of the time that code change is not inverting a binary tree in under thirty minutes. 

According to Frederick Brooks' inescapable Mythical Man-Month, the average developer spends half of their time doing some kind of testing. How many coding interviews involve writing a unit test? Has there ever been a coding interview that asked a candidate to dig through an APM or log aggregator to find the reason an API call is failing? Instead of pulling a hard question off of LeetCode, could we just give a candidate several hours to fix a failing Maven build and get better hiring decisions?

Enough complaining, what is the solution? What is the NFL Combine of the Software Development world?

It's the GitHub Open Source Pull Request. 

The biggest poorly kept secret in the software world is that also every commercial software product relies on a myriad of Open Source Software and the second biggest poorly kept is how overworked and underappreciated Open Source contributors are. 

Critical OSS projects, like log4j, have hefty backlogs of bug fixes and security issues. What if we could help address those issues and improve the hiring process? 

It begins with the hiring manager selecting an appropriately sized and difficult fixes for OSS that the company depends upon. The candidate would have the opportunity to read requirements, learn a code base, follow a build and testing regiment, and conform to a submission process. Ultimately having a group of their peers accept the PR. 

The standard interviewing process often produces little to no value. The code is thrown away as no one needs a solution to a non-existent problem. The PR Test creates actual value and that value is not owned by the hiring company so there is no awkward feeling of exploitation. Whatever happens with the job opening, there will still be some value created and released into the world. 

Imagine if log4j was fixed by a candidate before it was exploited. Imagine if developers had an intimate understanding of the libraries they use because they were part of the development effort. Imagine finding out the guy who can solve the Towers of Hanoi in 5 lines can't solve a simple bug without re-writing several modules from scratch? 

After the PR test, in the follow-up interview questions should be asked about challenges and design decisions. This helps gain insight into the candidate's thought process and also an indication if they actually did the work themselves. 

There is one missing piece though, the acquisition of new knowledge. Pick a topic that the candidate is unfamiliar with and give them a week to learn it. A thought exercise in an interview could ask the candidate to use the topic in a hypothetical problem. Not a pass/fail but doesn't provide insight into how the future employee could be directed in their professional development. Pro tip: people can learn how to learn better. 

Better developer interviews lead to better hiring decisions and better professional development. For an industry that believes in better efficiencies and less waste, that should be reflected in the hiring process. 

Sunday, January 10, 2021

Multiple Versions of Java


Java is a very popular language for application development for many reasons, including speed and portability. Java applications are compiled to Java bytecode which is in turn run by the Java Runtime Environment, more commonly known as the JRE. To avoid problems from the JRE not being installed or the wrong version being installed, many applications install their own copy of the JRE in their own folders. 

There are many problems with this approach including 
  • never updated to fix security patches
  • may be many years out of date with many known security issues 
  • almost guaranteed not to be configured to be secure
Another case is believing that you are safe from known java vulnerabilities because you keep your JRE up to date. However, malicious code or a malicious actor can use an older, insecure JRE residing on your machine that you're unaware of. An analogy would be a heavily secured front door but an unlocked window. 

The solution begins with independently installing the latest version of the JRE SE 8 and if possible applying the STIG. The STIG can be found here at STIG Viewer. Even if you don't apply the STIG you should still set up deployment.config and deployment.properties files as detailed in the STIG.   The next step is to locate all versions of the JRE by searching for the file 'java.exe'. For each 'java.exe' run 'java.exe -version' and record all the locations and versions (1.8 is version 8). For example, the Arduino IDE comes with its own JRE located in 'C:\Programs Files (x86)\Arduino\java\' and the version is 1.8.0_191 which is Java SE 8 Update 191 and was released on Oct 16th, 2018. As of Jan 10th, 2021, the latest version is Java SE 8 Update 271. You can find the 234 CVE's associated with Update 191 at the National Vulnerability Database.

If you find versions 9, 10, or 11 you may need to install JRE SE 11 as versions 9 and 10 are no longer supported. Anything later than 11 install the latest version of the JRE. Some Java 8 programs don't work with later versions so that is something to be mindful of. As of January 2021, only the Java 8 and 11 JREs have long-term support and therefore should be used if possible. Further information is at the Java Release FAQ page.

One by one, back up and delete the java folders, testing each application as you do so. If the applications don't work, it may mean they need a specific major version e.g. 8, 9 , 10.

Another possibility is that the application needs not just the JRE but the Java Development Kit (JDK) as well. The JDK includes tools to build java programs including javac.exe which is the java compiler. If it does, then there are many more security more considerations. 

If the system does not have strong application whitelisting then having the JDK on a system allows the user to compile java source code they have written, but has not been evaluated,  and run that java code on the system. In non-development environments, systems should not have the JDK (or any other development kit) kit installed useless under extraordinary situations. That is a topic for another post and another time. 

Out-of-date Java runtimes are a large and common security risk on a PC but the preceding steps should make having Java on your machine much less dangerous and more manageable. 

Saturday, October 31, 2020

Clock Update

Until this week, the clock was programed by curl'ing octets to the web server on the ESP32 controller. I decided that I wanted a REST API interface to the clock but I didn't want to implement it on the ESP32.

Since I've been trying to get better at python, I decided to put together a python app for it, found a good REST API Python Tutorial and got to work.

It took most of Friday night but it was a great success. This afternoon I built a Docker image for it and now I can run it on any random raspberry pi I have on the network.

If you're interested in the code, it's on my GitHub:

ClockRestApi on GitHub

Next step is a React app to talk to the REST API and maybe even a phone app based on that.

Sunday, June 28, 2020

My New Clock

Necessity is the mother of invention. My apartment building has an indoor swimming pool that I like to swim laps in. Some time last year, building management took down the wall clock that hung at the end of the pool. This drove me to figure out alternatives and since I could see my apartment windows from the pool I decided what I needed was a large clock.

I crack open box of my electronics stuff and start taking inventory. My plan is to use the chips I have to drive 7-segment displays to drive a home-built over sized 7-segment display. Think old school game shows before everything became LCD screens.

I start with a breadboard, add a 7-segment display and a CD4511 7-segment display driver chip, and wire it to a USB battery. Great success as I can display all the numbers I need by changing around the jumper wires.

Next step I hookup an Arduino and control the inputs that way. It looks like I have my successful proof-of-concept.

The first real problem I encounter is how do I build the clock circuitry and it looks like that's going to harder than the display component. Things change as I find out the ESP32 can be used with Arduino IDE and I can have the ESP32 call out to an NTP time server and set its own internal clock.

Now I have the clock and the display drivers all that remains is building the numbers and figuring how how to power thing without burning out my logic chips.

I start my research into different ways to drive large, bright LED displays and I come across NeoPixels RGB strips.They can cut with scissors and soldered in a chain easily. I do the math on how many LED's I need and I order a 100-LED strip from Amazon.

I get the strand in the mail and right away start playing with it by hooking up power and data lines. Nothing happens. This is real bummer, I take out my multi-meter, check power levels, check the connections, everything seems fine. After a while of confusion and frustration I come up with the idea to plug wires into the other end of the strip and everything lights up. I run sample program and it's magical, I ever think I hear music playing (probably just in my head). This will work.

Actual construction begins and the first thing I need is a box to mount the digits in. After some searching and head scratching I decide the perfect box will be the tray from a case of water bottles so I run out to Target late that night to pick up some paint brushes and black paint. After the paint dries,  I cut out paper outlines to size display, mark rectangles with pencil and then start cutting the LED strip into 4 light segments; no turning back now.



Laid out the first digit, cut the lengths of wire, soldered one segment to the next until the whole first 7-segment display built. The moment of truth comes as I mount it in the box, tape it down with electrical tape and plug it in.


And it kind of works. Re-solder some flaky joints and I have myself a device that display any number between 0 and 9. Thirty-two careful wire solders later (not counting re-solders) and I have myself a working clock display.



I finished up by moving the ESP32 and the LED power supply to the right size breadboard and mounting it to the back of the box. Wrote the code in the Arduino IDE and put it on GitHub (https://github.com/tachyonknave/NeoClock_ESP32). Final step was testing it from the swimming pool and it was perfect.




Future plans: Add a flashing dots between hour and minute. Set up a web server to control it over WiFi that will allow additional functions such as 20 second countdown for heartbeat, show the date periodically, timer mode to count up or count down, change the colors and switch between 12 and 24 hour mode.



Added wax paper to diffuse the LED's and significantly improve readability. 




View from the Pool

Tuesday, August 27, 2019

How to and why use VirusTotal

Most people have an anti-virus program running on their PC, continually scanning for known malware. That's a good idea but what about unknown malware? Unknown malware could be malware that is known to other scanners but not the scanners you're using. Or even worse, malware could be known to your scanner but not malware definitions list on your machine? What then?

Of course you should have your malware definitions list automatically update,  but what if you could scan suspicious files with 60+ scanners, all them are up to date? That's where VirusTotal comes in. It's a free tool that scans files for bad stuff like malware. You wouldn't use VirusTotal to scan all your files, but it's perfect for one or two suspicious files, especially files you receive via e-mail or other questionable sources.

How to Use VirusTotal: Scan Types


There are two ways in which you check a file against VirusTotal. If the file is under 250MB you can upload it. The other option is you can take a hash* of the file and send that hash to VirusTotal.

To take the hash of the file you can use many tools. For example, here's a PowerShell command:

Get-FileHash C:\sol.exe -Algorithm SHA1 | Format-List

There are several tools available on the Internet to take a hash of the file, and  you should check them before you use any. I occasionally use Microsoft's FCIV. 
 
VirusTotal accepts hashes from the following algorithms: md5, sha1, or sha256.

Copy the hash part and paste into the VirusTotal search box

VirusTotal Search
If VirusTotal recognizes the file then, that's great news. If it doesn't, you need to assess whether the file contains any sensitive info (like your e-mail or software license assigned to you). Personal files such as documents and spreadsheets should not be uploaded to VirusTotal. Part of the deal you make with VirusTotal to use their service is that they don't keep the files you upload private, so always keep that in mind.


Results 


Most times you will get results like this, where nothing is found:



For comparison here is a bad result:


If this happens, delete the file without running it.

False Positives 


Unfortunately there is always the possibility of false positives, which is when some scanners will say the file is bad while other scanners say it's good.  My rule of thumb:  if Microsoft, Symantec and McAfee all say the file is good, it's probably be okay, but if one of them says it's bad, don't trust it.


Misc


VirusTotal also offers a REST API to check hashes or files. It most cases this would be overkill. A special script could be written to go through every file in a directory, generate its hash and send that hash off to VirusTotal. However, VirusTotal does limit how many files and how often you can send files to the API with a free account, so you can't use it to scan all the files on your hard drive. In some instances you should be using a local scanner for instead, and VirusTotal isn't a replacement for those times.  


The following blog post by JC_SoCal offers a reason why you may not want to upload a file or hash to VirusTotal for you to consider.

Malware Analysis #1 Protip

Unless you are a malware analyzer or think you are being directly targeted you'll be okay. 


Conclusion


Using this post you should know everything you need to know to be a basic VirusTotal user. VirusTotal is a great tool to have in your cyber protection toolbox. 






*hash - a hash is the output of a special mathematical function used to assign an id to a file or a message.  ( Wikipedia - Hash Function )

Saturday, April 20, 2019

InfoSec News


One of the most important things for a  professional to do is keep up with the latest cybersecurity news and alerts. Below are a list of blogs and twitter users I follow. I use feedly.com to aggregate the blogs.

Google Online Security Blog
HackRead
Krebs on Security
SANS Internet Storm Center
Schneier on Security
The Hacker News
US-CERT Current Activity
E Hacking News
Errata Security
Graham Cluley
Hackmageddon
Have I Been Pwned

Malwarebytes Labs
Open Web Application Security Project (OWASP)
security - Ars Technica
TaoSecurity
The Register
TrendLabs Security

Twitter Handles to Follow

@RGB_Lights
@climagic
@VessOnSecurity
@2sec4u
@nostarch
@briankrebs
@DFIRTraining
@sempf
@markrussinovich
@azeria_labs
@secureideas
@x0rx
@jessfraz
@eric_conrad
@Fox0x01
@malwareunicorn
@malwrhunterteam
@swiftOnSecurity
@MalwareJake
@kevinmitnick
@Code_analysis

@OnRyanmac



Thrift Shop Find

The other day while browsing the electronics at Goodwill I found an old calculator for $1. The screen wasn't working correctly but I tho...