Wednesday, 17 June 2020

Installing Hugo in Windows

Below is a 'How-To' on installing Hugo in Windows. 

I would recommend you watch  Mike Dane's YouTube Tutorial  for a better understanding. 

Create a Hugo Directory in C:\Hugo . We will store hugo files or websites here. 

Create directory bin in C:\Hugo .  We will store Hugo Binaries/exe's  in this directory.


Download Hugo from  https://github.com/gohugoio/hugo/releases (Windows 64 bit or 32 bit )


Extract the downloaded Hugo zip file to C:\Hugo\bin .Make sure the executable is named as 'hugo.exe'. 


Set the appropriate  Environmental Path:


Open a new windows PS or Command Prompt and run  hugo version to check if Hugo is installed properly.









Thursday, 11 June 2020

Is it safe to use " Have I been Pwned APIs ? "

Most of us may have wondered " Is it safe to use Troy Hunt's Have I Been Pawned (HIBP) API ?? " 
 " Is my password stored to the HIBP server ?? ", 
 " Is this a good idea ? ".

Short answer - Yes, No and Yes.

Interestingly your password does not even go to HIBP server. 

Surprised ?? Well here goes the long answer .... 

HIBP created by Troy Hunt, uses a protocol called as the k-anonymity. k-anonymity was popularized by a British scientist Junade Ali when he built a communication protocol to check if the given password has been leaked. This verification of the password uses hashing, but the password or it's corresponding hash are never disclosed.
HIBP APIs are now used by several password managers.


The HIBP Implementation:

In the HIBP API, a user is required to pass the first 5 characters of the SHA1 hash of the password to the HIBP Server. The server will then respond back with list of the last 35 characters of all the SHA-1 hashes in its database that begin with the 5 characters sent.
The user can then compare locally the remaining 35 characters of his SHA-1 digest and see if his password was ever leaked.



For example: To check if the password value 'Password@12345' is a leaked password or not:
  1.  We take the SHA-1 message digest of  'Password@12345' .i.e 'fa39309c79ea43b63fa8e1961edd941a5002c541'.
  2.  Send the first 5 characters (uppercase) of the hash to "https://api.pwnedpasswords.com/range/{5_chars_of_hash}" and observe the response. 
  3.  The Server will respond with a list of hash tails (last 35 characters of the hash) that match the aforementioned 5 character string along with the nos. of times they  have been found in the wild.

Here is a snapshot of the curl request:



Analysis of the server response in the browser:



Below is small python script, where I am using the HIBP API (v2) to input a password value and check the inputs.

import requests
import hashlib

isStrong = True
password = input("Enter a password to check if its leaked: ")
hash_val = hashlib.sha1(password.encode('utf-8'))
hash_val_digest = hash_val.hexdigest()
hash_5chars = str(hash_val_digest[:5].upper()) # first 5 chars to be sent to HIBP Api
hash_tail = str(hash_val_digest[5:].upper()) # Convert to uppercase before sending.
response = requests.get('https://api.pwnedpasswords.com/range/' + hash_5chars) # Using HIBP Api v2
print(response.status_code) # expected 200
print("---------")
hibp_hashes = response.text.splitlines() # Stores the response as a list.
for hash_found in hibp_hashes: # Compare the values from the list locally
hash_to_compare = str(hash_found[:35]) # for each list compare the hash with the tail of our SHA-1 hash ()

if hash_to_compare == hash_tail:
count = str(hash_found[36:]) # Nos of times the password was found.
isStrong = False
print(f"Password \" {password} \" has been found {count} times in the Wild !!")
print(f"Here is its hash -> {hash_to_compare}")
break

if isStrong == True :
print("Hurray !! This password was not found in the Wild !!")

Screenshots of the output from the above script (I am printing out values on the console for a better understanding):

1. Output for a weak password:


2. Output for a strong password:


Conclusion: HIBP is an amazing resource and it has several more features. Do have a look at their site for more information https://haveibeenpwned.com


Other Python packages you could use:
https://pypi.org/project/pyhibp/
https://pypi.org/project/haveibeenpwned/

References:
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
https://haveibeenpwned.com/API/v2
https://en.wikipedia.org/wiki/Have_I_Been_Pwned%3F
https://en.wikipedia.org/wiki/K-anonymity

Saturday, 6 June 2020

The Pheonix Project - What I learned from it.

I recently read the book called 'The Pheonix Project'. A book that was recommended by a lot of folks especially to get started in the DevOps domain. 
This is a book written by Gene Kim, Kevin Behr and George Spafford. I am listing down some of the key takeaways from this book. 

This is a fictional story that revolves around a character named Bill Palmer who is promoted to VP of IT Operations and is quickly given the task of making sure the company's(Parts Unlimited) next big project named 'Pheonix' goes into production. A lot depends on this project failing which Bill's entire IT division may get outsourced. 

Bill quickly forms a team with two of his colleagues Wes and incredible Patty, who swear to clean the swamp. Around this time Bill is introduced to a potential board member Erik, who is a technology hot-shot as quoted in the book. Erik reminded me of Master Oogway and throughout the course Erik guides Bill and shows him how work in IT is comparable to that of the work done in a manufacturing plant. 
Initially Bill is amused at this very thought and dismisses the idea, but as Oogway said "One often meets his destiny on the road he takes to avoid it" .
Bill is eventually making amends in IT to replicate the workflow of a manufacturing plant.

Erik takes Bill to the company's manufacturing plant and riddles him to identify the 4 kinds of Work by observing the work happening at the plant.
Eventually Bill figures out the 4 kinds of works :

  1. Planned work .i.e Business projects and requests for new features.
  2. Internal projects .i.e Internal requests mostly related to operations such as server/environment creations, server upgrades, software updates, server patching etc.
  3. Changes .i.e work  created by the above two kinds of work, generally through feedback. 
  4. Unplanned Work - This kind of work is often not tracked. Support for incidents and other unforeseen circumstances that may usually arise from the first three kinds of work.  

Erik talks about 'The 3 Ways', which eventually form the pillars of the DevOps principles that Bill would implement later at Parts Unlimited.

  • The First Way - Work should flow in one direction.
Its important to identify the flow of work, and make sure that the work flows on one way. This is achieved by firstly identifying the constraints and removing the constraints. Secondly to limit the work in progress (WIP). WIP is known as the silent killer in both manufacturing and IT both alike.
In the story Patty uses Kanban boards to better visualize the workflow, identify the constraints and limit the WIP. Through this method they identify that one of the major constraints for the Pheonix project was Brent - a superstar who is involved in too many tasks. Bill and Patty try to reduce the work that goes to Brent thereby allowing him time on tasks that were far more critical .i.e the tasks associated with Pheonix. 

  • The Second Way - Enabling and amplifying feedback loops so as to identify issues/defects at a much earlier stage. 
The goal is to identify and fix as many defects in the development stage rather than pushing the defects to the operations/staging environment. Having a development environment that is identical to production would help resolve a lot of "But_this_works_in_the_development_env" kind of issues. Security code audits and pentests must happen at a earlier stage (shift-left) too, thereby identifying and resolving as many issues at a much earlier stage as possible.

  • The Third Way  - Practice and Repeat.
As Bruce Lee used to say "I fear not the man who has practiced 10,000 kicks once, but I fear the man who has practiced one kick 10,000 times."  
Unlike the traditional way where the deployments used to happen once in months, the third way is all about deploying as many times as possible. This is where automation comes into the picture where right from deploying machines in virtual environments to running QA and Security checks to deploying the code to production everything is automated.
In the story Bill and his team figure out ways to have code with a minimum viable product(MVP) deployed in production as soon as possible and then further keep integrating new features to it. But unlike before, Bill's team deploys code to production several times and in the process identify repetitive tasks and automate them. 

In conclusion I would say its a very engaging book and it does its job of helping you understand the place of DevOps in today's world. 

Notes - > Git Basics , git commands

[These are my git notes related to git commands] Ref:  Git Tutorials - by Corey Schafer. ---------------------------------------------------...