/tags/infosec/ Recent content in Infosec on galvanist Hugo en Wed, 13 May 2020 22:13:52 +0000 /posts/2020-05-14-django_secret_key_generation/ Wed, 13 May 2020 22:13:52 +0000 /posts/2020-05-14-django_secret_key_generation/ <h1 id="generate-django-secret_keys-on-the-command-line-using-this-one-liner-django-not-required">Generate django <code>SECRET_KEY</code>s on the command line using this &ldquo;one-liner&rdquo; (django not required)</h1> <h3 id="background">Background</h3> <p><a href="https://www.djangoproject.com/">Django</a> is a Python web framework with a lot of nice features including an exceptional ORM and <a href="https://docs.djangoproject.com">high quality documentation</a>. Most of my experience with django has been deploying and debugging other people&rsquo;s projects - during the course of which I often want to regenerate the <code>SECRET_KEY</code> that underpins most of the security of every deployment.</p> <p>The <a href="https://docs.djangoproject.com/en/3.0/ref/settings/#std:setting-SECRET_KEY">django settings docs</a> describe the <code>SECRET_KEY</code>:</p> /posts/2020-03-28-jxa_notes/ Sat, 28 Mar 2020 18:28:48 +0100 /posts/2020-03-28-jxa_notes/ <h1 id="overview">Overview</h1> <p>There is a macOS feature called the <a href="https://en.wikipedia.org/wiki/AppleScript#Open_Scripting_Architecture">Open Scripting Architecture</a> (OSA) which provides an infrastructure for intercommunication and automation of macOS software. One of the officially supported OSA languages is JavaScript and its use in this context is called &ldquo;JavaScript for Automation&rdquo; which is often abbreviated to &ldquo;<strong>JXA</strong>&rdquo;.</p> <p>The idea is that instead of using <a href="https://en.wikipedia.org/wiki/AppleScript">AppleScript</a>, you can program &amp; automate macOS using a more modern language like <a href="https://en.wikipedia.org/wiki/JavaScript">JavaScript</a>. This gives the programmer access to the enormous ecosystem of javascript libraries and tools in addition to all the modern optimizations and language features of ES6-ish JavaScript. JXA also provides access to a built-in Objective-C bridge that enables access to the file system and the ability to call into the Cocoa frameworks and plain C functions. JXA can basically do anything native code can. It&rsquo;s a bit like <a href="https://en.wikipedia.org/wiki/Node.js">node</a> without needing to install node.</p> /posts/2020-03-11-security-resources/ Wed, 11 Mar 2020 23:32:43 +0100 /posts/2020-03-11-security-resources/ <p>Establishing a reasonable amount of security for a website is a non-trivial unending job. Here are some notes and resources that I find helpful.</p> <h1 id="web-server-config">Web Server Config</h1> <h2 id="start-with-tls">Start with TLS</h2> <p>All public-facing websites need to be protected by <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security">Transport Layer Security</a> (TLS). TLS is a technology which allows web traffic to be encrypted and this encryption helps to protect the privacy and security of the users of a site.</p> <p>Deploying a site with TLS can be accomplished in a free and automated fashion. Services like <a href="https://en.wikipedia.org/wiki/Let's_Encrypt">Let&rsquo;s Encrypt</a> and the issuance features of large cloud providers (for example <a href="https://aws.amazon.com/certificate-manager/">AWS Certificate Manager</a>) encourage more secure defaults and automatic management. For more information, check out the <a href="https://letsencrypt.org/getting-started/">Let&rsquo;s Encrypt Getting Started Guide</a> or your hosting provider&rsquo;s documentation.</p>