I consider myself quite “hack proof” when it comes to web. I use Password Manager, I don’t use same passwords (but I used to). I never open files that I receive in mail. If I need to do something really critical I have virtual machine that I boot up that runs plain Linux with no extras installed. But still I got hacked… how is this possible?
Last Friday around 14:45 while working on my Mac, I suddenly started to get messages from many of my contacts saying: “What is this link?”, “Hi JP, long time…”
I started to look previous messages and I saw a link to Baidu. I panicked. I signed off from Skype immediately and started to think what the h…. has happen? My first thought was a malware. But I have not installed anything special recently. But I immediately started full virus scan and took computer out of web. I opened my Windows machine and started to Google answers. Strange thing was that I was not allowed to delete Baidu links from my message history. Usually in Skype I am able to delete messages I send. This sounded fishy as it looked like it is not actually “me” who send those messages.
So what happen?
After Googling I found online many comments and posts dating all the way back to 2015 having similar experience with Skype. One of the best threads I was able to find was in Skype forum in Security, Privacy, Trust and Safety -channel.
It turns out Skype and Microsoft are having a critical issue as hackers are able to log in into out Microsoft Accounts using Skype name and Password without Two-Factor-Authentication. This is for all “non merged” accounts (Remember, Microsoft bought Skype and then decided to merge logins with Microsoft). Skype login’s are added to the Microsoft account as a login option without informing people and “Enabled” it by default.
I was using my @outlook.com account to login to my Skype on my computers and phone. But there was still the original Skype username “jpkeisala” enabled with full access and I had not changed password of that username for ages. This same username used to be a username that I was using for many services back in the day. So I look at which sites has been hacked by https://haveibeenpwned.com/ and https://www.leakedsource.com/ and yes… Quite a few.
Ok, now I was sure that this is not malware but hacking. So I went to check https://account.live.com/Activity for susipcious activites and report to support page.
So, now I have to change my password and find out how to avoid this in the future.
Based on my empirical investigation, you (probably) don’t have malware or virus, your username and password is hacked and spam links are sent from web and not from your computer. You need to reset password on Microsoft and deselect Skype name.
Secure your account
- Login into https://account.microsoft.com with your Microsoft Account
- Go to “Security and Privacy”
- Under “Account Security”, select “More security settings”
- Under “Sign-in preferences”, select “Change sign-in preferences”
- Deselect “Skype name”
- Press [Save]
- And if not already done, enable “Two-step verification”
- In https://account.microsoft.com/ Change your password.
Idea of Headless CMS surfaced again when I have been looking these static site generators. I found couple of weeks ago Grav
, Grav is no-db cms. Basically every page is created as markdown editor on a tree structure on the disk. Then the site runs on top of HTTPHeader generating routing based on the structure on the disk. Grav is built on Symfony (PHP). Benefits on this approach is to be able to provide base structure for a site using markdown that is very similar to static site generators but it can also extended by hooking to database for example if you run a pizzeria you may have “static” content on markdown files and booking a table functionality on database driven. It also has backoffice as a plugin, so you get admin where editor can manage markdown files. Naturally, pages are file based you can have backoffice anywhere and then just have runtime and markdown files deployed to live server. This makes it more secure. Anyway, Grav is worth of checking out if you are interested to look “different” thinking how to create a CMS.
Anywhoooo… back to headless CMS. I was considering since the internet is built more and more from Web Components. How hard would it be to build in Angular2 based CMS that has no serverside techology dependencies, instead it runs solely on JSON api. Though, I do need some kind of JSON store like Firebase to keep things hooked together.
ApplicationPoolIdentity is the best practice to use in IIS7. It is a dynamically created, unprivileged account. To add file system security for a particular application pool see IIS.net’s “Application Pool Identities”.
Here is a quick guide how to add rights to correct AppPool -profile on Windows Explorer
- Open Windows Explorer
- Select Sitecore installation directory.
- Right click the file and select “Properties”
- Select the “Security” tab
- Click the “Edit” and then “Add” button
- Click the “Locations” button and make sure you select thelocal machine. (Not the Windows domain if the server belongs to one.)
- Enter “IIS AppPool\Sitecore” in the “Enter the object names to select:” text box. (Don’t forget to change “Sitecore” here to whatever you named your application pool.)
- Click the “Check Names” button and click “OK”.
Refer to Sitecore Installation and Security guide for proper settings.
Here are two extensions that I have found great for developing on Angular 2.
Automatically finds, parses and provides code actions for all available imports. Only currently works with files in your folder and TypeScript.
ext install autoimport
Angular 2 TypeScript Snippets for VS Code
This extension for Visual Studio Code adds snippets for Angular 2 for TypeScript and HTML.
I kind of like status update boards as a concept for an Intranet much more than a “portal” or “brochure website”. For example customer I have been working recently has intranet that is default starting page on the corporate machines. On this particular “static” website by far the most popular page on that Intranet is lunch menu, then on distant followers pages like password for guest WIFI etc…
Another customer I have uses SharePoint as Intranet. This portal is maintained by corporate communication with standard marketing jargon. Neither of these Intranets gives employees any way to interact except perhaps a comment field in the news. I have never really been big fan of Intranet sites. Even though back in 2001-2003 I was building Intranet / KM product. My disbelieve for Intranets is mostly because they simply don’t seem to work as intended. I think where Intranets go wrong is when they start to listen requirements from all stakeholders. Then they end up something that is completely unusable Microsoft Sharepoint solution. Just because “Intranet of course has to have granular rights and it should be configurable in the browser”.
But I do think Intranets could work if Intranet would be thought as flat organization instead of rigid departments and groups. Don’t get me wrong, I think security should be there but why not having it like a social network. One service that I am looking forward to test it is Facebook at Work.
This “facebook wall” where people could post whatever they want it would make the site more alive and certainly more relevant. Perhaps by default employee is subscribed to all departments but on time s/he could filter her feed list with only things that she thinks is interesting to her personally and professionally.
There are few other functionalities in Intranets that are must have features like a file share and knowledge base. With knowledge base I mean what HR writes like guides etc. that is occationaly visited. Often this is regarded as wiki or simple pages. Then there is also file share that is a place to share docs. Usually, these are made way too complicated (I am thinking you Sharepoint!) because that is what is “requirement” but really it does not need to be like that?
rsync is a widely-used utility to keep copies of a file on two computer systems. It is commonly found on Unix-like systems and functions as both afile synchronization and file transfer program. The rsync algorithm, a type of delta encoding, is used to minimize network usage. Zlib may be used for additional compression, and SSH or stunnel can be used for data security.
How to use ‘cp’ command to exclude a specific directory?
I found rsync when I was trying to copy all files except “x” and “y” files and directories. You are able to do that as following:
rsync -av --progress sourcefolder /destinationfolder --exclude thefoldertoexclude
Notice that you can add many –excludes like:
rsync -av --progress sourcefolder /destinationfolder --exclude thefoldertoexclude --exclude anotherfoldertoexclude
Found some great samples by Ramesh Natarajan I have copied few below with a link to more samples.
Example 1. Synchronize Two Directories in a Local Server
To sync two directories in a local computer, use the following rsync -zvr command.
$ rsync -zvr /var/opt/installation/inventory/ /root/temp
In the above rsync example:
- -z is to enable compression
- -v verbose
- -r indicates recursive
Example 2. Preserve timestamps during Sync using rsync -a
rsync option -a indicates archive mode. -a option does the following,
- Recursive mode
- Preserves symbolic links
- Preserves permissions
- Preserves timestamp
- Preserves owner and group
Now, executing the same command provided in example 1 (But with the rsync option -a) as shown below:
$ rsync -azv /var/opt/installation/inventory/ /root/temp/
Example 3. Synchronize Only One File
To copy only one file, specify the file name to rsync command, as shown below.
$ rsync -v /var/lib/rpm/Pubkeys /root/temp/
More samples at:
How to Backup Linux? 15 rsync Command Examples
6 rsync Examples to Exclude Multiple Files and Directories using exclude-from
In metric, one milliliter of water occupies one cubic centimeter, weighs one gram, and requires one calorie of energy to heat up by one degree centigrade—which is one percent of the difference between its freezing point and its boiling point. An amount of hydrogen weighing the same amount has exactly one mole of atoms in it.
from Wild Thing: A Novel by Josh Bazell