I’m not being paid to make this recommendation at all (I just happen to know Adam Baldwin), but if you build Node apps at all, you really should consider the new secure development training for Node offered by ^lift. Even if you can’t make one of the training sessions they offer, it is well worth your time to chat with them about the security of your Node app. If security is baked into the app and is part of the development process, the chances of avoiding an embarrassing security vulnerability are drastically reduced.
These guys know their stuff and work with organizations such as GitHub and npm, Inc.
Check it out: ^lift Node Security Training
As a follow up to my previous post about the Windows Scripting Host (WSH), I should mention that I have seen a bunch of fake antivirus website pop-ups attempt to load a file called
setup.exe.vbe by downloading the file via the browser and attempting to get
wscript.exe to execute the malicious script. I have noticed that not all of these attempts have been caught by antivirus and virtually none of them by vendor-supplied network-based IPS signatures.
If you monitor change activity on your hosts, look for attempts by
wscript.exe to execute a file called
setup.exe.vbe and ensure that it was not successful.
Mandiant has a great post on their blog discussing some attempts by malware to maintain persistence on a host through utilization of the Windows Scripting Host (WSH) and startup folder:
Great stuff, including some indicators of compromise (IOC) and Snort rules to attempt to detect these situations, though the IOCs will be far more effective at this than the Snort rule.
I ran across this quote today in the course of my reading and thought I’d share it.
Works of Love, pp. 92-96 (SV XLL 86-91), cited in S. Kierkegaard, Parables, pp. 47-48:
To love one’s neighbor means, while remaining within the earthly distinctions allotted to one, essentially to will to exist equally for every human being without exception.… Consider for a moment the world which lies before you in all its variegated multiplicity; it is like looking at a play, only the plot is vastly more complicated. Every individual in this innumerable throng is by his differences a particular something; he exhibits a definiteness but essentially he is something other than this—but this we do not get to see here in life. Here we see only what role the individual plays and how he does it. It is like a play. But when the curtain falls, the one who played the king, and the one who played the beggar, and all the others—they are all quite alike, all one and the same: actors. And when in death the curtain falls on the stage of actuality (for it is a confused use of language if one speaks about the curtain being rolled up on the stage of the eternal at the time of death, because the eternal is no stage—it is truth), then they also are all one; they are human beings. All are that which they essentially were, something we did not see because of the difference we see; they are human beings. The stage of art is like an enchanted world. But just suppose that some evening a common absent-mindedness confused all the actors so they thought they really were what they were representing. Would this not be, in contrast to the enchantment of art, what one might call the enchantment of an evil spirit, a bewitchment? And likewise suppose that in the enchantment of actuality (for we are, indeed, all enchanted, each one bewitched by his own distinctions) our fundamental ideas became confused so that we thought ourselves essentially to be the roles we play. Alas, but is this not the case? It seems to be forgotten that the distinctions of earthly existence are only like an actor’s costume or like a travelling cloak and that every individual should watchfully and carefully keep the fastening cords of this outer garment loosely tied, never in obstinate knots, so that in the moment of transformation the garment can easily be cast off, and yet we all have enough knowledge of art to be offended if an actor, when he is supposed to cast off his disguise in the moment of transformation, runs out on the stage before getting the cords loose. But, alas, in actual life one laces the outer garment of distinction so tightly that it completely conceals the external character of this garment of distinction, and the inner glory of equality never, or very rarely, shines through, something it should do and ought to do constantly.”
I have completed the photo gallery, which consists of my favorite images I’ve taken over the years.
I hope you like it.
I just returned from a short backpacking and snowshoeing trip with a friend into a yurt nestled on the north slope of the Uinta mountains in Utah. The yurt is run by BRORA and a permit is required to stay there, but it is well worth the trip. BRORA stocks the yurt with propane and wood (though visitors are encouraged to cut wood and restock what they use in the wood-burning stove within the yurt), and it has propane lamps, cooking utensils, a wood-burning stove that is completely amazing, and various sundry goods required for a comfortable overnight stay in the backcountry during winter.
Once again I have made some significant website changes, now moving to a static website generated by Wintersmith and Node.js. Theme templates were created using Jade and should be responsive (adjusts the page to fit the screen on which the site is viewed, while maintaining consistent navigation).
In order to do this I first built a structure in HTML, utilized the wonderful HTML2Jade tool, made further adjustments to the output Jade template to match what I needed, and then did a lot of CSS hacking. I cannot stress how absolutely wonderful Safari’s web inspector is for getting CSS just right.
So, you may ask, “Why move away from Ghost and to a statically generated site?” First off, Ghost is a great platform and very slick blogging tool. As I’ve been using it I’ve bumped my head against its complex code several times, which is frustrating. I like simple, lightweight code.
Ghost is also very immature and lacks many key features for me, such as theme loops, an API, and a good static page implementation (admittedly, this is subjective). My biggest gripe is that, due to a bug in how the editor handles Safari in iOS 7, editing or creating posts on a mobile device doesn’t work at all. This issue has been around since iOS 7 came out, and there is still no fix in sight.
Bottom line on Ghost: It’s great, absolutely beautiful technology, but ultimately not for me.
Anyway, I hope I’ve moved everything over properly. If you see anything out-of-sorts, please let me know. I also plan to implement a photo gallery in the near future.
I had mentioned in my previous post that I preferred the film version of this photograph over the digital version. Here is an example of why (this is a crop of one of the previous images I posted):
At the foot of the mountains near our home is a beautiful orchard. The owners are kind enough to let photographers into the orchard to capture its beauty and, after some recent snowfall, I stopped by to capture the long grass protruding through a carpet of snow, accented by the reddish bark on the trees.
I shot these images with the Mamiya C220 on Kodak Portra 160 film. I also captured some frames with the Fuji X-Pro1 but definitely prefer the film images.
I thought I’d share an issue I experienced when upgrading Ghost to 0.4 and what I did to resolve it.
I wanted to upgrade Ghost to the latest version, 0.4 but first thought I would upgrade everything else. I did a
yum update on my EC2 server to get all my packages up-to-date. I then upgraded Node.js to the latest stable version, as well as npm and all global packages (I install Node.js via source and did a
npm update -g for all the other packages).