stop disabling SELinux

posted Feb 15, 2019, 7:51 AM by Chris G   [ updated Feb 15, 2019, 7:52 AM ]

Seriously, stop disabling SELinux.
Learn how to use it before you blindly shut it off.

Every time you run setenforce 0, you make Dan Walsh weep.
Dan is a nice guy and he certainly doesn't deserve that.

JSON Web Token

posted Jun 14, 2018, 6:55 AM by Chris G   [ updated Jun 14, 2018, 6:57 AM ]

What is JSON Web Token?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.

Although JWTs can be encrypted to also provide secrecy between parties, we will focus on signed tokens. Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.

GnuPG - The GNU Privacy Guard

posted May 12, 2018, 8:26 AM by Chris G   [ updated May 12, 2018, 8:27 AM ]

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).

Boxcryptor - Security for your Cloud

posted May 12, 2018, 8:24 AM by Chris G   [ updated May 12, 2018, 8:24 AM ]

Boxcryptor for Individuals

Boxcryptor encrypts your sensitive files and folders in Dropbox, Google Drive, OneDrive and many other cloud storages. It combines the benefits of the most user friendly cloud storage services with the highest security standards worldwide. Encrypt your data right on your device before syncing it to the cloud providers of your choice.

Boxcryptor is free to use with one cloud storage provider on two devices. 

Inspec - Compliance as code

posted May 1, 2017, 9:57 AM by Chris G   [ updated May 1, 2017, 9:58 AM ]

InSpec is an open-source testing framework for infrastructure with a human-readable language for specifying compliance, security and other policy requirements. When compliance is code, you can integrate automated tests that check for adherence to policy into any stage of your deployment pipeline.

This tool can also be used to validate the deployment of new systems by describing what should/should not be installed. Great stuff!

Salted Password Hashing - Doing it Right

posted Mar 13, 2017, 1:22 PM by Chris G

A very nice article with examples:

Let’s Encrypt: Delivering SSL/TLS Everywhere

posted Nov 19, 2014, 6:15 PM by Chris G

Let’s Encrypt is a new Certificate Authority: 
It’s freeautomated, and open
Arriving Summer 2015

An Introduction to the JS WebCrypto API

posted Oct 29, 2014, 11:44 AM by Chris G   [ updated Oct 29, 2014, 11:45 AM ]

Keeping Secrets with JavaScript - An Introduction to the WebCrypto API

Kippo SSH honeypot

posted Sep 17, 2014, 7:49 PM by Chris G   [ updated Sep 17, 2014, 7:49 PM ]


Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.


  • Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
  • Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included
  • Session logs stored in an UML Compatible format for easy replay with original timings
  • Just like Kojoney, Kippo saves files downloaded with wget for later inspection
  • Trickery; ssh pretends to connect somewhere, exit doesn't really exit, etc


Software required:

  • An operating system (tested on Debian, CentOS, FreeBSD and Windows 7)
  • Python 2.5+
  • Twisted 8.0+
  • PyCrypto
  • Zope Interface

Making Sense of Content Security Policy Reports

posted Sep 9, 2014, 12:49 PM by Chris G

Making Sense of CSP Reports - a great article on Yelp Engineering Blog

CSP is Awesome

Content Security Policy isn’t new, but it is so powerful that it still feels like the new hotness. The ability to add a header to HTTP responses that tightens user-agent security rules and reports on violations is really powerful. Don’t want to load scripts from third party domain? Set a CSP and don’t.  Trouble with mixed content warnings on your HTTPS domain? Set a CSP and let it warn you when users are seeing mixed content. Realistically, adding new security controls to a website and a codebase as large as Yelp needs to be a gradual process. If we apply the new controls all at once, we’ll end up breaking our site in unexpected ways and that’s just not cool. Fortunately, CSP includes a reporting feature – a “lemme know what would happen, but don’t actually do it” mode. By using CSP reporting, Yelp is able to find and fix problems related to new CSP controls before they break our site.

Visualize, monitor, and alert for the win

The Yelp security team is a huge fan of Elasticsearch/Logstash/Kibana.  Like we do with pretty much any log, we throw these CSP reports into our ELK cluster and visualize the results.

1-10 of 24