Docker Image Migration script

Docker is changing.. and as all the changes in this period, things are getting shittier. So recently the announced two shitty things:

1. Docker desktop is not gonna be free anymore for companies above 250 employees

2. They messed up again the way how you can manage and define docker teams and image repo in the docker registry.

Regarding 1, we are just waiting that everyone start to migrate to free alternative (eg Rancher ). For number 2, this article will help to save a shitload of money.

Continue reading “Docker Image Migration script”

10 Immutable Laws of Security

Microsoft has done two things which are really good and neither of those is Windows or Office. The first one is a software called “Paint” that everyone is familiar with (Not the shitty 3D version). The second one is a paper that they wrote back in 2011 titled “Ten Immutable Laws of Security.” So this quick article is about those laws.

The laws are quite self explanatory, so i will re-post them here:

  • 1. If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore
  • 2. If a bad guy can alter the operating system on your computer, it’s not your computer anymore
  • 3. If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
  • 4. If you allow a bad guy to upload programs to your website, it’s not your website any more
  • 5. Weak passwords trump strong security
  • 6. A computer is only as secure as the administrator is trustworthy
  • 7. Encrypted data is only as secure as the decryption key
  • 8. An out of date virus scanner is only marginally better than no virus scanner at all
  • 9. Absolute anonymity isn’t practical, in real life or on the Web
  • 10. Technology is not a panacea

Despite the laws are quite clear, i want to add a quick discussion for clarify some points. The first 3 laws, withhold similar concept: if someone can tamper with your pc either by running some software or by accessing the hardware, than is not your pc anymore. The implication of these law are quite deep. These law cover obvious cases, where you click on that unknown exe .. or when your trusted technician install hardware keylogger in your pc or a network sniffers on your card. . But the cases does not necessary stop there.. What if a bad guy works at Microsoft, then potentially can tamper with your OS, thus, owning all your pc. Same concept with hardware producers. If you think that this is impossible, than think again because has already happened in the past (for example tampered Supermicro motherboards or Lenovo Superfish malware).

Law n.4 is just a slight extension of the other 3 but with reference to website. So if you use Libraries, add-ons and so on, is always a good idea to have a look at the source code (and make sure that the installed version actually contains the same code), to avoid problem like the “event-stream” javascript library that got infected by cryptoshit stealing code.

Law 6 remarks the power of Sys admin that can change the back-end code, access directly databases, passwords (changing back-end to store it in clear!) and so on. They hold the ultimate power, since usually clients have no overview of the back-end code.

Law 5 and 7 are also quite important. They clarify some concept of security. Indeed is useless to have a 512 bit AES key if then the password set is 1234. Easily guessable keys (or reusing compromised passwords) are the weak link in breaking hard encryption.

Law 8 is still very valid, with the viruses spreading over the internet quickly, it is important to include newest AV signatures as soon as possible. No-one is trying to break in your system with a 2 years old virus! This is also true for Software Updates. So Together with antivirus you should patch asap all your software, since exploiting known vulnerability are the easiest way in a system.

Law 9 may come with a little disappointment. Yes you could use Tails, Tor, Qubes, etc, but still..if someone want to really control you (and have enough resources), they could exploit timing, traffic correlations, forge fake certificate, control tor exit nodes, control backbones, install spywares, dns leakages, etc. So many potential weakness that over a long period, something will go wrong and you will loose your anonymity.

Rule number 10 is just thrown there to remind that for many problems, technology may not be the best solution after all..

So whenever you click on something or ask someone to fix your pc, keep in mind those simple rules!

Happy clicking!

GIT_2 : Workflows: branch and fork

In the last article we discussed some basic git concept. Now I want to introduce some GIT workflows to be used while developing code in teams, that uses Pull Requests and code reviewers. In particular I want to explain how to keep the master history clean and how to avoid all those ugly merges and unnecessary commits that a lot of teams have in their master history. 

Continue reading “GIT_2 : Workflows: branch and fork”

GIT_1 : (not so) Basic Concepts

If you are a programmer and if your team consist of more than 1 person, then you are probably using GIT. There are two ways to use git: the wrong way and the right way. If you never used “rebase” command or if you never squashed any of your commits or if you never heard about forks, then you are probably using it wrong. Ah before we start, I assume that you are familiar with basic git terminology. 

Continue reading “GIT_1 : (not so) Basic Concepts”