Getting last modified software on Windows using PowerShell

Getting the list of the last modified software on Windows is actually simple, if using PowerShell

Photo by Miti on Unsplash

Whenever I get requests like "hey, how can I get the lastly installed software on my machine?", I try to resolve them with code and as simple as possible. Turns out that on Windows, PowerShell can be an excellent tool for scripts like those. On this post, let's address that using PowerShell and review how it became a fun, simple and quick exercise.

Using Get-WmiObject

The Get-WmiObject cmdlet is what we need to get Windows diag information. By combining it with Export-Csv we can export all installed software on our machines with:

Get-WmiObject -Class Win32_Product | Export-Csv installed.csv

Using Get-ChildItem

The next part consists in using the Get-ChildItem cmdlet to filter out our exported data. That can be done with:

# getting last modified files
Get-ChildItem C:\ -rec | sort LastWriteTime | select -last 1000 | Export-Csv files.csv

Conclusion

Doing this simple exercise was fun, simple and quick using PowerShell. Don't know PowerShell yet? I would urge you to take a look and learn it (even if just the basics). PowerShell is a powerful tool used extensively in devops on Windows, Azure and Linux.

Oh, and yes, I really don't miss the days before PowerShell!

References

• Get-WmiObject
• Get-ChildItem 
• Export-Csv
• PowerShell.org
• Installing PowerShell Core on Linux 
• Find latest modified file information in PowerShell
• Windows : How to list files recursively with size and last access date?

See Also

• My journey to 1 million articles read
• Determining installed .NET Framework versions using PowerShell
• PowerShell - The server committed a protocol violation
• Windows Subsystem for Linux, the best way to learn Linux on Windows
• Why I use Fedora
• How I fell in love with i3
• Diagnosing and Fixing WSL initialization issues
• Creating a Ubuntu Desktop instance on Azure

PowerShell - The server committed a protocol violation

Let's understand what that error means and review 3 different ways to fix it.

Photo by Max Rovensky on Unsplash

This sort article details a good trick for those getting the following error in PowerShell: 

The server committed a protocol violation

After googling ducking around, I found three different solutions for this problem:

1. Modifying your powershell.exe.config;
2. Modifying your request in order to avoid it stopping if your url is invalid in .NET
3. Modifying your request in order to avoid it stopping if your url is invalid in PowerShell.

Let's review each of them and understand a little more about the problem.

Solution 1 - Modifying powershell.exe.config

This solution will apply to all PowerShell requests so use with caution. Also, this solution is not portable so, if you plan to run this script on a machine you don't have admin access to, this solution will probably not work.

<system.net>

<settings>

<httpWebRequest useUnsafeHeaderParsing="true" />

</settings>

</system.net>

Solution 2 - Modifying your request in .NET

To modify your request, have the code below before you actually run Invoke-WebRequest:

$netAssembly = [Reflection.Assembly]::GetAssembly([System.Net.Configuration.SettingsSection])

if($netAssembly)
{
    $bindingFlags = [Reflection.BindingFlags] "Static,GetProperty,NonPublic"
    $settingsType = $netAssembly.GetType("System.Net.Configuration.SettingsSectionInternal")

    $instance = $settingsType.InvokeMember("Section", $bindingFlags, $null, $null, @())

    if($instance)
    {
        $bindingFlags = "NonPublic","Instance"
        $useUnsafeHeaderParsingField = $settingsType.GetField("useUnsafeHeaderParsing", $bindingFlags)

        if($useUnsafeHeaderParsingField)
        {
          $useUnsafeHeaderParsingField.SetValue($instance, $true)
        }
    }
}

Solution 3 - Modifying your request in PowerShell

This is probably the simplest. Just run the line below:

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }

Conclusion

On this post we reviewed three different ways to resolve a problem in PowerShell. Don't know PowerShell yet? I would urge you to take a look and learn it (even if just the basics). PowerShell is a powerful tool used extensively in devops on Windows, Azure and Linux.

References

• Invoke-WebRequest
• Ignoring SSL trust in PowerShell System.Net.WebClient
• Invoke-WebRequest - protocol violation when attempting to login using XML

See Also

• My journey to 1 million articles read
• Getting last modified software on Windows using PowerShell
• Determining installed .NET Framework versions using PowerShell
• Windows Subsystem for Linux, the best way to learn Linux on Windows
• Why I use Fedora Linux
• How I fell in love with i3
• Diagnosing and Fixing WSL initialization issues
• Creating a Ubuntu Desktop instance on Azure
• Hosting NuGet packages on GitHub
• My journey to 1 million articles read
• How and why use stronger passwords

ASP.NET - How to allow anonymous requests on secure endpoints

How to allow unauthenticated requests on authorized endpoints using ASP.NET? Let's take a look.

Photo by Philipp Katzenberger on Unsplash

In a previous article, I described how to extend the ASP.NET pipeline with custom security. Turns out that certain endpoints were still required to operated unauthenticated. How do we allow those requests to be processed? The solution relies on:

1. Decorating the security attribute with the AllowAnonymous as discussed on the previous post.
2. Detecting the current request is an ActionExecutingContext and allowing the request to proceed conditionally.

Let's see how we can write a custom RequirePermission attribute to solve that problem.

Writing a custom ActionFilter Attribute

Writing a custom ActionFilter attribute isn't complicated. Here's one code that demonstrates how to do that elegantly:

Using the Attribute

Next, we ca use our attribute to decorate our actions so it runs as soon as our endpoint is hit:

Conclusion

This was a quick post extending the previous discussion on how to implement custom action filters to have a better control over the requests agains our application. On this post I explained how you could intercept requests on your application and react to them using these attributes. For a complete understanding of the project, please the original discussion

See Also

• My journey to 1 million articles read
• Adding Application Insights telemetry to your ASP.NET Core website
• Send emails from ASP.NET Core websites using SendGrid and Azure
• Creating ASP.NET Core websites with Docker
• Building a custom security framework with ASP.NET applications 
• Hosting NuGet packages on GitHub
• How and why use stronger passwords
• Security and development: how much is being done?
• Security is only as strong as the weakest link
• The Laws of security
• Privacy and Ethics
• Integrated security vulnerability alerts on GitHub - Why it matters
• Building and Running ASP.NET Core apps on Linux 

Security Boundaries

Knowing the security boundaries of our applications help building safer code. Read to understand.

In order to properly implement secure applications, developers should understand the concept of security boundaries (or trust boundaries) in the context of software development/architecture.

So let's start with a solid definition. According to IEEE, security boundaries are:

defined by a set of systems that are under a single administrative control. These boundaries occur at various levels, and vulnerabilities can become apparent as data “crosses” each one.

A good guideline to understand what the security boundaries of your app are is by:

• examining their applications from both functional and technical perspectives;
• understanding and evaluating the boundaries in and between their applications;
• taking into account all the interfaces and integrations to/from their systems;
• knowing that vulnerabilities can be propagated from one boundary to the other, possibly affecting not only your application but also leaking to your users;

Trust Model

Bruce Schneier defines trust model in his book Secrets and Lies as:

how an organization determines who to trust with its assets or pieces of its assets.

As developers, we could use the same paradigm by considering:

• who should have access to my system;
• what can they access;
• which internal components in my application I trust, which I don't;
• which external components in my application I trust, which I don't;

With all that information you should be able to draw lines (security boundaries) around your architecture, helping you identify what are the trust levels between those boundaries.

Performing security verification

Once we know which are the boundaries of our apps, we could reduce the development effort to check security only in the application boundaries. For example: if my web app talks exclusively (is coupled) to my backend and vice versa, it's fair to say that I only need to validate my data once.

But don't treat that as a general rule. Actually, I would treat that as an exception as applications today are getting more and more complex.

Security checks in the cloud

What if my web app talks exclusively to my backend via a message queue or a storage account in the cloud? Is it safe to say that I should trust everything that reaches the backend? Of course not. After all, being the transport layer publicly available, it could be compromised. Being compromised, messages reaching the backend might also be compromised, resulting in breaches in my system. I should validate them whenever possible.

Every new element we add to our architecture is another element in the security boundary equation: should I trust everything that comes from it or not?

Security checks with Different Networks

Same for applications in different networks. Just by adding a public network between them, means that the information we're getting (if not encrypted) might have been tempered with. Should we trust it? The answer to that is related to how trustable our network is. Being a private vnet in the cloud, I would be ok. Public, not so much.

Local Security checks

In the same process

For two assembly in the same process for example, I don't think no security checks needs to be done. However, if two applications share the same process and a component in one calls a component in the other, a security check should be done because we crossed an application boundary.

In with different Processes

Likewise, if two applications reside in different server processes and a component in the first application calls a component in the second application, a security check is done.

Final Thoughts

I briefly introduced the concept of security (or trust) boundaries in this post. I hope you use that information to, in the future, evaluate how your company is treating the data you are injecting from your users and 3rd-party APIs.

See Also

• My journey to 1 million articles read
• How and why use stronger passwords
• Security and development: how much is being done?
• Security is only as strong as the weakest link
• The Laws of security
• Privacy and Ethics
• Integrated security vulnerability alerts on GitHub - Why it matters

How and why use stronger passwords

The number of online attacks increases and weak passwords is one of the main reasons. Learn how to create stronger passwords and be safer online.

Passwords are probably the most sensible aspect of our lives today. With more and more leaks happening every day, it's strongly recommended to start thinking about stronger passwords for our personal online accounts and our applications. So how can we leverage existing tools in a non-complex way to enhance our online protection?

Let's take a look.

What you should do

Let's start with simple basic tips for everyone. For starters, this is what we should be doing:

• Using passwords with at least 8 characters;
• Using complex passwords that include numbers, symbols, and punctuation;
• Using a variety of passwords for different accounts or roles;
• Using a secure password tool;

What you should not do

It's also important to remember what we should not do. For example, below I list somethings we should not be doing:

• using dictionary words as passwords, e.g. apple, cat, Raptors, etc;
• use sequences of characters, e.g. 3333, abcdabcd;
• use personal information in passwords, e.g. your birthdate;
• reutilize passwords;
• avoid setting the password as the associated service, e.g. Gm@il or Dropbox123;
• combinations of those above;

Other interesting tips to increase our protection are:

• Avoid storing passwords on devices that you take out of home;
• Use a password manager to securely keep track of your passwords (see the section below);
• Setup MFA/2FA when available (see the section below);
• Use a secure password generator to generate stronger passwords (see the section below);
• Never remember a password!

Use Password Managers

While the  above tips are good to start and have in mind, let's now see concrete examples in how we can increase the complexity of our passwords and how we can protect them from external access. Utilizing stronger password demands a better memory. In case you don't have one as me, I  strongly recommend the utilization of a password manager like 1password, KeePass and it's forks KeePassX and KeePassXC. That's why I never remember my passwords! =)

And because I need to access my passwords on Linux and Windows machines, I'm currently using KeePassXC. I also advocate for files on disk instead of services like LastPass because you cannot trust anyone else nowadays =). How safe is LastPass data for example? Well, they were hacked before...

Using KeePass

Since KeePass is one of the most familiar out there, let's provide a very quick introduction on it. The rest, I'm pretty sure you can figure out. Also, if you're using one of its forks, should be the same, just varying the visual look and feel.

Step 1 - Create your password database

The first step is to create your password database. Launch KeePass, 

Step 2 - Start adding your passwords

See? KeePass not only manages our passwords but also helps us generating a very complex passwords for us.

Step 3 - Keep using it!

Yes, keep using it! Add all your accounts to this file and keep it safe on your disk, doing periodical backups. And sice KeePass is remembering your passwords for you, you have no excuses for sharing passwords or using simple passwords. Plus, backing up this file online is safer as the file is encrypted and assuming you didn't choose a very simple password for the file, it should take a long time for someone to crack it.

Which takes us to the next tip...

Recycle Passwords

Another relevant tip is recycling passwords. You may have already figured out that it's a technical term for not reusing the same passwords. But why? Yes, you should recycle your passwords every 3 months or so. It helps against data leaks. Or, if your service has something like a password expiration policy, even better:

Source: Outlook.com

How to create stronger Passwords

Most password managers have a very useful tool to generate passwords. After getting familiar with KeePass, I suggest getting acquainted with the Password generation tool.  To access it, do:

Tools -> Password Generator:

As we can there there are lots of intresting options here:

• You can set the length of the generated passwords;
• You can set/unset multiple options (I would recommend checking at least 4 of them);
• You can provide patterns, certain characters;
• You can strengthen entropy by clicking on the "Advanced" button

And, by clicking on the "Generate" button, KeePass will generate a password for you. It will even tell you how strong your password is (92 bits in this case). Remember to keep an eye on the bar. It will tip you how strong your password is. In theory, we should have the tool generate passwords for us as their algorithm handles better the complexity required.

Enable multiple-factor authentication

Multiple-Factor Authentication (MFA) and it's simpler form Two-Factor Authentication (2FA) is a way of logging in that requires more then a password. Example: a text message or a verification e-mail with a random code on a different email account are sent and the user will only be allowed access if she enters the right code..

MFA adds a very strong security component to our online accounts since it reduces dramatically the chances an unauthorized user can access our accounts. Many recent hacks such as the celebrity hack could have been avoided if MFA was enabled. But Apple have learned from the episode and now advise users to protect themselves using 2FA:

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.

Example 1 - Enabling MFA for an Apple ID

The majority of the most used websites currently offer MFA. As an example, here's what you need to do to enable MFA on you Apple ID.

Source: https://support.apple.com/en-ca/HT204915

Example 2 - Enabling MFA on GitHub

In GitHub, go to your profile -> security, and click:

Then you choose one of the options below to get your code:

How Secure is your Password?

Speaking of strong passwords, how secure is a  92 bits password compared to my own password? According to howsecureismypassword.net:

• your simple password like "Apple123" is broken instantly;
• a complex password as that one generated above would be broken in 52 quadrillion years;

Just access that type and enter your password to get a quick feedback on how long it would take for someone to crack your passwords:

Source: https://howsecureismypassword.net/

Spot the difference? Few hours x 52 quarillion years. But wait! There are techniques to speed up this process but we will not cover them now. The objective of that was to illustrate the importance of creating and using stronger passwords.

Conclusion

On this post I presented many suggestions on how to create strong passwords, store, transport and additional protection layers such as MFA. Please, start use them all and make your information safer. As a final note, consider using stronger passwords and enabling MFA on all your accounts.

See Also

• My journey to 1 million articles read
• Security and development: how much is being done?
• Security is only as strong as the weakest link
• The Laws of security
• Privacy and Ethics
• Security Boundaries
• Securing our front-end
• Integrated security vulnerability alerts on GitHub - Why it matters
• Dropbox officially debuts its password manager

Why use Firefox

Understand why Firefox is still the best browser for those looking to keep their privacy online.

If you have been following this blog, you may know that I've been discussing the importance of security and privacy. If not, please read how we are being tracked without consent everywhere: by search engines, browsers, mobile apps, social networks, TVs, games, devices, etc. Turns out we're living in difficult times for those seeking privacy

My Favorite Firefox Features

Apart from its privacy-first commitment, let me list my favorites of  Firefox.

Performance

This version of Firefox is 2x-faster than a year ago, significantly faster than Chrome. Do not believe? Check the video below for a quick comparison between the performances of Firefox and Chrome.

Lightweight

Firefox made significant improvements to its new engine and now uses 30% less memory than Chrome:

Source: https://www.mozilla.org/en-US/firefox/quantum/

Development Tools

Every developer deserves an awesome development environment. Firefox Quantum ships with a completely revamped DevTools with multiple improvements included. Check more on this blog post to find out more.

Source

Privacy Considerations

As previously said, Firefox is the only browser committed to privacy. Even Brave who marketed themselves as the best privacy-oriented browser were caught replacing ads with their own and probably also tracking you.

Beautiful UI

And, my last personal favorite: the new Photon UI. Simply gorgeous:

Source: https://hacks.mozilla.org/2017/09/firefox-quantum-developer-edition-fastest-firefox-ever/

Mobile

I've used many browsers on different mobile devices and honestly, never have been completely satisfied. Lately, I've been using Firefox Focus and if you want speed, privacy in a lightweight browser, you got it there:

Source: https://www.mozilla.org/en-US/firefox/focus/

Contributions to the Open Standard

Apart from Firefox, Mozilla has been doing very important advances in open science in:

• Gaming: WebAssembly & WebGL;
• MDN: extensive documentation on web technologies including HTML, CSS, and APIs for both Web sites and progressive web apps.
• WebVR: an incubator for virtual reality on the web;
• Servo: an amazing parallel browser engine 
• Rust: an amazing open-source programming language that focuses on speed, memory safety and parallelism.
• Open Codecs: if you use Linux, you know what I mean...
• Speech and Machine Learning

Conclusion

If you agree with me and thing that it's time for a more open web, more privacy and security, join me and millions of other users and start using Firefox again! So what are you waiting for? Go get your Firefox right now!

See Also

• My journey to 1 million articles read
• How and why use stronger passwords
• Security and development: how much is being done?
• Security is only as strong as the weakest link
• The Laws of security
• Privacy and Ethics
• Security Boundaries
• Why use Fedora Linux
• Windows Subsystem for Linux, the best way to learn Linux on Windows

How can you become a FOSS / Open-Source Contributor

Considering joining the open-source movement but don't know where to start? Learn some tips on this post.

Photo by Mohamed Nohassi on Unsplash

FOSS is awesome! Millions of people around the world dedicate their time working and free/open-source software benefiting the world around us. Most likely the tools use love and use are probably backed by open-source software one way or another. For example, the internet you're using now runs on Linux. SmartTVs, drones, cars, super computers, your android phone and yes, even your iOS device is also based on BSD, a FOSS project. 

There are hundreds thousands of projects you probably use that available for free. Projects like like Mozilla Firefox, OpenOffice, git, Bootstrap, React, FontAwesome, OpenSSH, internet servers, just to name a few. On this post let's learn ways you too can help free/open-source communities around the world.

Tips for programmers

If you know how to program and would like to contribute that way, here's a couple of ways you could help the community:

• Writing code;
• Submitting pull requests;
• Reviewing code;

Once you understand the project requirements, philosophy, workflow and communication channel, get in touch with the project maintainer(s) to present yourself. The easiest way for those that know how to program is to go directly to the project page. A nice start page would be Git Explore.

Tips for non-programmers

Do not have programming skills? Don't give up! There are lots of other ways you can help. Check the list below.

Writing

Like writing? There's definitely gaps in documentation on free/open-source software. Consider supporting your favourite project on:

• Documentation;
• Tutorials;
• Translations;

Designing

You're a designer? There are lots of opportunities to contribute with your artistic skills on free/open-source software. For example:

• Logos;
• UI mockups;
• Event banners;
• Fonts;
• User Experience
• TShirts;

Participating / Organizing Events

Social events? You can always participate in:

• Meetups;
• Install fests;
• Volunteering in bigger events
  

Using the software

Know well some specific software? Why not help people:

• installing free software;
• on Q/A sites around the internet
• on Slack/IRC/Discuss channels;
  
• helping someone else installing/troubleshooting someone else's computer;

Helping with Infrastructure

Know systems and infrastructure? What about:

• supporting servers;
• donating servers;
• maintaining the build systems;
• packaging;

Donating

None of the previous? What about donating to organizations you like / admire / support other FOSS projects like:

• the Linux Foundation
• the Free Software Foundation
• the Document Foundation
• the Gnu project;
• Patreon FOSS projects;
• the Mozilla Foundation;
• and more, way more;

Supporting other Users

You can always support other users by answering their questions on StackOverflow, AskFedora or AskUbuntu for example.

Divulging

On your school, university or company? What about educating people on how to use free/open-source software?

Writing posts

What about blog posts? Even those as simple as as this one help people around the world! 😊

References

• How to Contribute to Open Source
• Curated list of awesome lists
• GitHub Explore - search your open source project;
• What can I do for Fedora - has a nice yes/no tool to guide you to what/how you could help. Note that you don't necessarily need to do that for fedora but for a project of your interest.

Conclusion

This post was just to present ideas on how to start helping open source projects. Most people think that contributing to open source is just about code while it is not. There's tons of ways we can start helping others out there so why not?

See Also

• My journey to 1 million articles read
• Why use Fedora Linux
• How I fell in love with i3 
• How to create a Ubuntu Desktop on Azure 
• Windows Subsystem for Linux, the best way to learn Linux on Windows
• Red Hat Enterprise Linux keeps growing
• 5 tools for Azure Development on Linux
• It's time to Firefox again

It's time to Firefox again

Understand why now is the best time to start using Firefox again

On a previous post, I listed ways we are being tracked without consent by search engines, browsers, mobile apps, social networks, TVs, games, devices, etc. Hopefully by now, you understand why we all should be concerned with security, ethics and privacy.

But before we discuss privacy and why we should reconsider Firefox, I thought it would be interesting to do a quick recap on web browsers, this omnipresent tool in our lives.

Market Share

Today, Firefox has about 13% market share. A huge decrease if we consider that it originates from Netscape, which had close to 80% of the market two decades ago.

Source: https://www.statista.com/statistics/268254/market-share-of-internet-browsers-worldwide-since-2009/

To understand how that happen, let's take a quick look at the browser market history

The First Browser War

Back in 1995, Netscape sailed in calm waters until a Internet Explorer 1.0 was released by Microsoft. That was the beginning of what's called the first browser wars.

According to Wikipedia:

• By mid-1995, Netscape Navigator was the most widely used web browser and Microsoft had licensed Mosaic to create Internet Explorer 1.0 which it had released as part of the Microsoft Windows 95 Plus! Pack in August.
• Internet Explorer 2.0 was released as a free download three months later. Unlike Netscape Navigator it was available to all Windows users for free, even commercial companies.
• Internet Explorer 4 changed the tides of the browser wars. It was integrated into Microsoft Windows, which gave it a large installation base.

Quickly, the Windows-IE integration brought excellent results to Redmond. Now, Microsoft had two advantages in the browser market:

• Resources - Microsoft had way more financial resources than the relatively small company that essentially had a single product (Netscape Navigator)
• IE was bundled with Windows - since Windows had over 90% share of the desktop operating system market, IE quickly gained adoption.

Fast dominance, Slow innovation

But the market share dominance certainly was not good for consumers. A period of slow innovation started:

Microsoft was able to dominate the market share easily as customers had it as the default browser. This also brought an end to the rapid innovation in web browsers; until 2006 there was only one new version of Internet Explorer since version 6.0 had been released in 2001.

The market remained stalled for a few years until a new contender entered the market: Google Chrome.

The Second Browser War

The Chrome browser was released on December 11, 2008, using the same WebKit rendering engine as Safari and a faster JavaScript engine called V8. Google replicated Microsoft's aggressive strategy and embedded Chrome in Android. Quickly we saw Chrome surpassing Firefox and IE to reach the top spot:

Chrome Advances

Let's be honest: Chrome indeed brought us many advances. To name some: simple bookmarks and settings synchronization, web standards support, malware blocking, plugins, incognito mode, speed, stability, desktop apps, its web store, extensions, themes, automatic web page translation, release channels, frequent release cycles, etc. That's a lot!

But remember, they weren't the first to create most of these features. Firefox (and Opera) had most of those features way before them:

• themes;
• a web store;
• extension support;
• plugin support;
• incognito mode;
• web standards support;
• developer tools;
• do not track;
• automatic updates;

The Strategy

The history repeated itself: a company with OS dominance embed  their browser and foster it as the best for you on all its channels. Example, if you go to Google.com today using Firefox you will see:

 

Source: google.com (using Firefox)

Because Chrome is embedded in Android (the most popular mobile OS), has tight integration into other Google services and to ads like the above, people keep ditching alternatives and just using Chrome.

The problem

As always, problems begin when you dominate the market share. Impartial practices, disrespect to open standards, privacy concerns and all sorts of other issues happen. Common complaints in the past are now back with Chrome:

• Chrome is a memory hog;
• Chrome drains my battery;
• Chrome does not respect my privacy;
• Chrome tracks me;
• Mobile data sharing is 'out of control'

So how can we approach this problem?

The solution

The solution is a more open Web, not a web governed by one or two companies but internet for people, not for profit. It has to include open standards, open formats, strong security and privacy that protect the users.

It's internet for the people, not for profit. 

Source: https://www.mozilla.org/en-US/

Unfortunately, the web today has problems. Security, ethics and privacy are not being respected and we should work together to improve it. And it will start with us, the users. It should start with our search engines and with our browser.

Firefox

That's why my browser of choice is Firefox. Because I want my privacy respected, because I want a more open web, because I support open-source software, because it has excellent development support and it's super fast!

Enhanced Tracking Protection

To get better, Mozilla has been working on the Enhance Tracking Protection feature. Starting on Firefox 63, users will be able to block all third-party cookies so they are not tracked while browsing the web.

Fast, Lightweight and Private

Bonus: Firefox Focus

I've used many browsers on different mobile devices and honestly, never have been completely satisfied. Lately, I've been using Firefox Focus and if you want speed, privacy in a lightweight browser, you got it there:

Source: https://www.mozilla.org/en-US/firefox/focus/

Conclusion

We are being tracked without consent by search engines, browsers, mobile apps, social networks, TVs, games, devices, etc. Hopefully by now, you understand why we all should be concerned with security, ethics and privacy.

There are alternative search engines and browsers that respect your privacy. Why not try and spread the word?

References

• Mobile data sharing is 'out of control'
• Firefox - Enhance Tracking Protection
• DuckDuckGo - A search engine that does not track you
• Firefox Focus

See Also

• My journey to 1 million articles read
• Security and development: how much is being done?
• Security is only as strong as the weakest link
• The Laws of security
• Privacy and Ethics
• Security Boundaries
• Why use Fedora Linux
• 5 tools for Azure Development on Linux 
• How to create a Ubuntu Desktop on Azure 
• Windows Subsystem for Linux, the best way to learn Linux on Windows

Creating private git repos using Azure DevOps

GitHub's also offering free repos now! As it's the world's most popular development platform, I'd recommend using it instead of Azure DevOps.

GitHub is awesome. It dramatically changed how we share and contribute to open source sofware in the work. But, one of its limitations, especially for startups, companies or even tech professionals is that it doesn't allow private repos for free.

Fair enough, they are a company and need to pay for infrastructure, their employees and support all the amazing work that they do and all the traffic that they get. But since startups usually can't have upfront costs what's the alternative?

Introducing Azure DevOps

Azure DevOps is a private (up to 5) service that has a bunch of cool stuff for developers and startups.

I'm a big fan of Visual Studio Team Services because:

• as, this post explains, offers private git repos for free;
• allows us to do view repos, code, pull requests/merges online;
• automate Azure deployment;
• run automated tests;
• do continuous integration;
• do relelease management;
• have multi branches for your baseline;
• install extensions;
• host your private wiki;
• and more, way more.

Creating your Repo

But back to the repos. Being free, once you register, you can create a new project like:

Azure DevOps - Creating a new private repo

Once your project is created, you should see your Git url from which you're able to pull privately using the credentials for the account you just created.

VSTS - Your Git Url

After your first push, you should see your files there. Other nice features already mentioned above, are available in the blue bar above and I plan to review them in the future.

Personal Git Repo

One thing that was not much explored is, the benefit developers and people who produce digital content in general is using VSTS to host your personal files. Instead of using GDrive, DropBox or OneDrive, why not host all your files there? Plus, you get all the benefits already provided by git and the cloud:

• security
• confidentiality
• intergrity
• version control
• hosted on the cloud

So, you could store your portfolio, your projects, all those txt files that are never archived and always lost =) in git, access and modify them from multiple machines and let git manage it for you - for example, rejecting one modification because you are not up to date with the repo.

Conclusion

So there you have it. VSTS is a very friendly, powerful and free (up to 5 users) that you can use to host your personal and professional projects. Definitely it's worth trying.

GitHub's also offering free repos now! As it's the world's most popular development platform, I'd recommend using it instead of Azure DevOps.

References

• Azure DevOps
• Azure DevOps Services

See Also

• My journey to 1 million articles read
• Adding Application Insights to your ASP.NET Core website
• Hosting NuGet packages on GitHub
• Why you should start using .NET Core
• Package Management in .NET Core
• Exporting HTML to PDFs using only JavaScript
• Importing CSVs with .NET Core and C#
• Exporting a CSV generated in-memory in Asp.Net with C#
• Building and Running Asp.Net Core apps on Linux
• Generating views in the backend with ASP.NET
• Testing Javascript on ASP.NET Core Applications

Securing your front-end

How secure is your front-end and how much could it be? Let's discuss it on this post.

An extremely common and dangerous flaw in web apps security is relying solely in client side security as we already discussed on this blog here and here. On this post we’ll examine the most frequent mistakes developers make and how to protect from them. But before we proceed, check our previous discussions on web application security. For all the topics on security, please click here.

Law of Security #4

We already reviewed the 10 laws of security on this blog. So, you may recall our Law #4:

If you allow a bad guy to upload programs to your Web site, it’s not your website any more.

That's probably, the main (but not the only) reason why web applications are so insecure: users are constantly submitting data to your application and changing data state. So what should we do? 

Should you trust all data being submitted to you?
No.

Can you trust data from cookies sent to you?
No.

Can you trust everything that you are getting in your web application layer?
Of course not.

You cannot trust client side security

Because you don’t have control of what runs on your client or how that information is being submitted - if it was manipulated or came from a different source than you expect - you should never trust the data you are getting in a request. That's why you should always re-validate in your server data sent to you. The only actual info you should trust is the session, stored on the server.

So what are the most common mistakes?

In the context of web applications, the most common mistakes web developers make are:

• Hiding info in hidden fields
• Relying on Http cookies
• Relying on Url parameters
• Using Form action urls for backend logic
• Using the Referer header for backend logic
• Trying to be cryptic or to obfuscate info
• Rely purely on the ASP.Net Viewstate
• Rely only on html form attributes
• Only run Javascript validation

Mistake #1 - Hiding info in hidden fields

In the past, developers used to hide essential information in hidden form fields as:

<input type=”hidden” name=”price” value=”45”>

So when a post was submitted to the server, something like the below would be sent:

POST /page.aspx HTTP/1.1
Host: mysite.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 20
quantity=1&price=449

Hacking this application is as simple as:

1. changing the price value using devtools and resubmitting the form;
2. issuing a post from a different tool to the server.

Luckily, this anti-pattern is no longer common anymore.

Solution

The solution here is simlpy not use hidden fields to pass sensitive information to the client. Use the Id of the product or some other type of identifier instead.

Mistake #2 - Relying on HTTP cookies

This one is less common but is still being used. Developers are still saving sensitive information in cookies, which are stored in the client side and can be easily manipulated. Consider this response from the server:

HTTP/1.1 200 OK
Set-Cookie: Discount=20
Content-Length: 100

Assuming that the Discount value set in the cookie was used to perform some calculation in the server, a malicious user could easily change that information to 100 for example, and get the product for free. Not what we want.

POST /store.aspx HTTP/1.1 

Cookie: Discount=100
Content-Length: 10

Solution

The solution here is simlpy not use cookies fields to exchange/store sensitive information to the client. If you need to save, save it on the session, on the server. Upon each request, get the session value and process it from there.

Mistake #3 - Relying on Url parameters

Often, urls are very easily hackeable:

 somesite.com/store/view?prod=3&price=100

Anyone using a web browser or curl for example could alter that url and, if that property was used to provide the price to the server, alter it and benefit from your security issue. Others can be more obscure but also open to attacks:

 somesite.com/store/view?prod=3&price=100&price_tkn=VJ58k6UxCFdUHiVj

 Remember that security trough obscurity does not work flawlessly.

Solution

Avoid using the query string to pass sensitive information. Even if some urls are meant to be hackeable, that's not the objective here.

Mistake #4 - Using Form action urls for backend logic

Similar to mistake #3, hidden but still modifiable, form actions can also be used to pass information :

<form action="/store/submit?discount=10">

...
</form>

Remember, this approach could be easily manipulated.

Solution

Avoid using the query string to pass sensitive information. Even if some urls are meant to be hackeable, that's not the objective here.

Mistake #5 - Using the Referer header for backend logic

Less common, the Http Referer header can be used to simulated authentication logic in the server. For example, a request like:

GET /auth/CreateUser.aspx HTTP/1.1
Host: mdsec.net
Referer: https://mysite.com/auth/admin.aspx

Could be interpreted in the server that the user indeed came from the admin page. While this could be true for non-malicious requests, it could also be manipulated.

Solution

Avoid using the Referer for authentication as can be easily manipulated in the client side.

Mistake #6 - Trying to be cryptic or to obfuscate info

We already provided an example in mistake #3. Trying to be cryptic or obfuscating information is not a 100% reliable solution. Yes, it could be used as part of a solution but should not be the sole solution.

Solution

Be creative securing your services and avoid security trough obscurity.

Mistake #7 - Rely only on html form attributes

Html form attributes like maxlength and disabled are nice but can be easily circumvented by simply removing them in developer tools or by submitting. Example:

Solution

Keep using those components to provide more friendlier applications but never rely only on them to validate your data. Always have similar validation in the server and in the backend if necessary.

Mistake #8 - Only run Javascript validation

As in mistake #8, relying solely on javascript is highly insecure as javascript can be disable or be easily removed, altered or manipulated in the client machine.

Solution

Make use of javascript to serve more friendlier applications but never rely only on it to validate your data. Always have similar validation in the server and in the backend if necessary.

Conclusion

So there you are, hope this post has helped you identifying the threats your app may be facing and how you could protect against them. But only for your front end. Remember, security is complicated. Securing your frontend is just another piece in the complex effort towards a good security framework.

See Also

• My journey to 1 million articles read
• How and why use stronger passwords
• Integrated security vulnerability alerts on GitHub - Why it matters
• Why use .Net Core
• Package Management in .Net Core
• Building and Running ASP.NET Core apps on Linux
• Generating ASP.NET views in the backend
• Testing JavaScript on Asp.Net Core Applications

  For more posts about ASP.NET on this blog, please click here.

Privacy and Ethics

Security, Ethics, Privacy and Confidentiality. How's everything related on today's internet.

On a previous post we discussed Security and Ethics. Today we follow up on Ethics and Information Privacy and discuss privacy and ethics.

We're living interesting times. Around 10 years ago, the biggest ad agency of all time started tracking and reading personal information. Now it has expanded from your browser to, basically, everywhere. In case you are not sure what I mean, let's examine where tracking is happening.

Tracking is Everywhere

Tracking today happens on:

• E-mail providers: Gmail, Outlook, Yahoo! and everyone else is reading your email. What about you? Are you reading your own emails? 
• Search Engines: where do you think that Google, Bing, Yahoo!, et al get their money from? But wait! We seem to have an option that does not track you. 
• Social Networks: every social network these days tracks you and reads your data. And they make a lot of money. 
• Companies:Google, Apple, Microsoft, Facebook, Amazon and everyone else is tracking you not only by using their services but, if you're using their gadgets, you're probably being tracked there too! 
• TVs: smart TVs like Samsung TVs are spying on viewers. 
• Smart devices: Smart devices like these, are tracking users:

• Amaxon Alexa and Google home record what you say
• Amazon Echo records everything you say
• Amazon (again) has found a way to sneak a camera in your bedroom

• Virtual Assistants are tracking us: virtual assistants are also tracking their users:

• Cortana listes to everything you type
• Windows 10 is indeed the biggest spyware ever created
• No, maybe it's Android

• Mobile Apps are tracking us: Most of the apps today track their users. Even companies like Disney tracks their users. And maybe your car will do too! (I promise I will update this post whenever I see that happening. It won't take long!) 
• Video Games: even video games are tracking players: Xbox and NSA - maybe your videogame is doing it already 
• IoT devices: the internet of things? It's full of listeners, everywhere.

Tracking and Privacy

But people are starting to note that privacy invasion is becoming or will become an issue. And that is a good thing!

Maybe this change is happening due to the impacts of the recent very important data leaks on Equifax and Deloitte, or because their personal pictures leaked online or, because their Dropbox, Adobe, LastPass, personal e-mail, mobile operator, and so many other services suffered a leak and they lost confidential information and/or were victim of a scam/phishing/smishing, etc because of those leaks. Who knows? It doesn't matter.

What matters is that the society as a whole needs to be aware of how our privacy is being disrespected and start demanding for a change. Unfortunately, neither governments nor companies are doing their share and remain doing all that's possible to get access to your data - ethically or unethically. But why is that happening?

Remember: If a product is free, you are the product

As we already discussed that on the Security and Ethics post why is this all happening? Why now?

To understand that, we first need to reflect on why would a company give their products for free? Since the majority of them are not charities,  maybe this is happening because, they make tons of money out from your data and ads. 

For example, here's how Alphabet (Google's parent company) makes money (88% from Ads):

Source: http://www.visualcapitalist.com/chart-5-tech-giants-make-billions/

And here's how Facebook makes money (97% from Ads):

Source: http://www.visualcapitalist.com/chart-5-tech-giants-make-billions/

US$ 106 Billion / year in revenue from Ads

As show in the previous charts, advertising generates 88% and 97% of their revenues to Google and Facebook respectively. That's USD 106.36 Billion per year from your data. All from "free products" like Facebook, Gmail, YouTube, Instagram, Android, Google Docs, etc That's why they say that: if a given product is free you are the product.

All that said, we should be concerned. Not because we're doing stuff we're not supposed to do or because we're being injected too many adds but because your information is being scanned without consent or further notice.

This is not a financial but an ethical decision. It's not about stock prices or revenue per user.

Privacy concerns have reached a limit and people are starting to realize that. You can see by google searches decreasing (more on that later), or increase in utilization of tools like DuckDuckGo (which I recommend using), even by the increase in adoption of free/open software projects like LibreOffice or Firefox that do not track your data. Not because they are better but because they are safer and more trustworthy - If I can read the code, I can trust it.

Privacy - What are our options?

Then where should we be? What should our companies be doing? This is what would like to see: companies that explicitly care about your privacy and how the internet and our lives will be better if everyone cared about that.

Here are my humble suggestions.

Browser

My browser of choice is Firefox. Yes I know there are other options but for my daily use (including development) works very well.

Search Engine

I believe my search engine shouldn't track me. That's why I use and recommend DuckDuckGo.

Operating System

I want privacy in my desktop operating system. That's why I use Fedora Linux.

Phone

I wish a modern phone that respects my privacy and runs all the apps I like. Who knows the Librem 5 or the PinePhone one day doesn't happen? I'm closing monitoring their development and it's getting close, real close!

Final Thoughts

Think about it. Think about the necessity of protecting our privacy, our families' privacy. Think about the impact it can have in 20, 30 years from now. Think how can we make the web and our lives safer for ours and future generations.

See Also

• My journey to 1 million articles read
• How and why use stronger passwords
• Security and development: how much is being done?
• Security is only as strong as the weakest link
• The Laws of security
• Privacy and Ethics
• Security Boundaries
• Integrated security vulnerability alerts on GitHub - Why it matters

---

Update [Mar 13, 2018]: There is a very nice description on why you should consider migrating from LastPass here. 
Update [Mar 13, 2018]: Good News! Purism just showed some updates on the Librem 5 phone here