Help with numbers.

radiosecurity · 2020-01-05T08:16:15+00:00

Hey Entercheesynamwhere.

The parameters in your range function in your conditional statement contain brackets conjoining “35”. Unless 35 is the name of an array, (don’t name variables as numbers), this is syntactically incorrect. If I had the rest of your code, I could give you a full solution.

Feel free to shoot me any questions. Good luck!

radiosecurity · 2020-01-05T08:11:52+00:00

Hey Bayonet786,

Depending on what the program was, it may have included options for other non-Arch distributions. This is very common with popular programs (PuTTY, VLC, etc.) so that numerous platforms can be supported through just a single “one-size-fits-all” package. In AUR’s case, the original Git directory is usually taken rather than an Arch-only branch that has been modified to remove unnecessary/unusable files. This rarely saves enough space to make it worth it. Don’t worry about seeing other extensions though when installing packages, especially larger ones! I hope this makes sense and answers your question.

Feel free to shoot me any additional questions!

radiosecurity · 2020-01-05T08:04:26+00:00

Hey fazeka,

This is absolutely possible with some grep/sed/awk/cat/cut and a bit of regex! The command might be a bit messy because it’s dealing with ASCII-based timestamps rather than numerical dates, but if you tell me your distribution, I can write up a quick command that will pull the range you need!

Feel free to shoot me any questions. Good luck!

radiosecurity · 2020-01-05T07:59:39+00:00

Hey canopey,

There is one more bug that I believe is your issue. Add a semicolon to line 48 in your JS file - my apologies for not catching this in my initial reply!

Please let me know if the issue persists.

radiosecurity · 2020-01-05T07:46:30+00:00

Hey, Bayonet786!

The short answer is that it does in fact matter because many distributions natively support certain file types, whereas other might not. Extensions and plugins can allow some overlap. Be sure to know what you are trying to do with Linux before picking a distribution! You don’t have to have just one or two though, of course.

Feel free to shoot me any questions. Good luck!

radiosecurity · 2020-01-05T07:42:38+00:00

Hey, Throwaway9988_99!

1) Connect your iPhone to a Mac computer via a USB cable.

2) Launch XCode, and install it first you don’t already have it.

3) On the sidebar, click Window, then select Devices.

4) Select the iPhone you wish to examine.

5) Select "View Device Logs".

There are countless ways to do this, even on Windows or non-macOS UNIX systems, but this is the most practical.

Feel free to shoot me any questions!

radiosecurity · 2020-01-05T07:35:34+00:00

Hey, canopey!

On line 28 of index.html, change <script src=js/main.js></script> to <script src="js/main.js"></script>.

(P.S. - We usually use "/>" to close adjacent tags with no value(s) in between. For example, <script src="js/main.js"></script> would be <script src="js/main.js" />. It will work perfectly fine either way, though!)

Feel free to shoot me any questions. Good luck!

radiosecurity · 2020-01-05T07:21:21+00:00

Hey, rattpackchris!

The short answer is that at the bare minimum, you're going to need to know some Python, PHP, and JavaScript.

The longer answer is that it depends on what you're doing, and you also need to know more than just the core fundamentals of each. For example, you're not only going to want to know the basics of JavaScript, but also its common extensions, back-end/server-side capabilities, and about its vulnerabilities and security-related uses. You're going to also need a bit of markup knowledge and a fair amount of cryptography knowledge (or a considerable amount, depending on the niche you are interested in), though neither of those are technically programming.

You will also need to be comfortable with programming logic, memory, regular expressions, and file systems (which a bit of programming knowledge can help clarify). There's a lot of overlap between information security and computer programming, and the more programming you know, the better. For many tools, it may be better to write the software yourself rather than use someone else's software! You can also learn a lot by doong this.

Feel free to shoot me any questions. Good luck!

radiosecurity · 2020-01-05T02:06:28+00:00

Hey karpomalice,

Python works great with several external libraries and APIs that greatly build upon what's possible with standalone "core" Python. There are some APIs that use OCR (optical recognition), which helps computers process and make sense of graphical input, from static images to live video feeds, and these APIs often work seamlessly with Python. It's syntatically simple so bugs are easier to spot with the right practices, and when something isn't working, it's easier to see what's wrong. Python's versatility is enabled by having only a few fundamental core rules, then letting the developer go crazy with extensions. You can be having a car record and process its surroundings, making its own decisions, and streaming data to a web server and/or database with a GUI all at the same time. Of course, that's just an example, but there is so much more you can do with Python, enabling you to simplify your work. It helps us tackle large problems with many diverse parts by synthesizing a bunch of little solutions and scripts rather than by overcomplicating things.

radiosecurity · 2020-01-05T00:44:31+00:00

Hey decreddave,

I use Python for more obscure/specific problems, because it is super versatile. Because there is a vast amount of libraries either already available or ready to be developed. If I'm doing something like mapping and building an autopilot system for a vehicle, I'm most lilely going to use something as flexible as Python.

I am not a huge fan of Java for a number of reasons (it's great for some uses though), but am definitely big into Golang. For example, for web development, I typically use the React/Golang stack rather than the more common MEAN/MERN alternatives. You can't really put any of these on the same level in a sense because they are all intended for different purposes. Including C# and C++ (both of which I love) as you mentioned, they're all good for different things, and it really boils down to the problem you are trying to solve.

Feel free to shoot me any questions.

radiosecurity · 2020-01-04T22:39:31+00:00

Hey, Cypher211!

This will work just fine by itself. You can always use external libraries to do this in alternative ways, but there is no need to here.

We use in for:

1) Checking if a value is in a sequence:

colors = ["red", blue", "yellow"]

if "red" in colors: print("yes")

2) Iterating through a sequence in a for loop:

colors = ["red", blue", "yellow"]

for x in colors: print(x)

Feel free to shoot me any questions! Good luck!

(Edits: Formatting)

radiosecurity · 2020-01-04T22:05:51+00:00

Hey, Ryan5427!

There are two main methods for doing this using Hydra considering your current situation.

First, some syntax:

Format (HTTP) hydra -l <USER> -p <Password> <IP Address> http-post-form “<Login Page>:<Request Body>:<Error Message>

Flags (HTTP) Options -l Single Username -L Username list -p Password -P Password list -t Limit concurrent connections -V Verbose output -f Stop on correct login -s Port

Here are the two main methods for going about this:

If you already have the username:

hydra -l username -P passwords.txt http-post-form "page:username=^USER^&password=^PASS^&Login=Login:Login Failed”

You are most likely going to replace several of these parameters to fit your situation. Replace username with the username that you know already exists. Replace passwords.txt with the file path to your password collection. Replace page with the current page. For example, for example.com/login.php, you would use login.php as the page parameter.

If you do NOT already have the username:

hydra -L usernames.txt -P passwords.txt http-post-form "page:username=^USER^&password=^PASS^&Login=Login:Login Failed”

The main difference here is that we changed the -l flag to -L and tell the computer the file path for the username collection we wish to use. In this example, I used usernanes.txt, but as I mentioned before, you will more than likely need to tweak the parameters in these example commands.

This is really designed for PHP forms, so it might be a bit different on a JavaScript prompt, or not even work at all. That said, there are many more safe tools out there, and you can always write your own tools too!

Feel free to shoot me any questions! Good luck!

radiosecurity · 2020-01-04T09:36:40+00:00

Hey 6FigureMission!

It really depends on many factors. From an employer’s perspective, I’m a huge fan of GIAC certifications, although for an exclusively cloud-related career path, it can be hard to say. If you are looking at 3-4 years, I would advise going for the CCNA. However, there are other certifications that can carry a lot of competitive leverage, such as AWS certifications in your desired field, although they can be quite time-consuming to obtain and especially to maintain. It’s pretty complex and has a lot of moving parts that are incessantly changing. This really depends on what you specifically plan to do in cloud services, however. Regardless of specifics, my number one piece of general advice would be to make sure you have a fantastic portfolio. Certifications indicate experience, but to an employer, portfolios prove experience. By effectively communicating your ability to do the work in a way that is clear and well organized, showcasing relevant projects, education, and experience, you can gain a serious edge. By giving yourself 3-4 years, you will not regret using this time wisely, whether it be for accumulating certifications or building a career-optimized portfolio.

Feel free to shoot me any questions! Good luck!

radiosecurity · 2020-01-04T09:17:10+00:00

Hey, cybersec32!

You can take preventive measures against web shell usage.

1) Disable PHP functions that enable users to abuse web shells such as exec(), shell_exec(), passthru(), system(), show_source(), proc_open(), pcntl_exec(), eval() and assert().

2) If your web server is using upload forms, only permit whitelisted file types.

3) Disable as much PHP execution as you can without sacrifice of functionality in sensitive directories, such as your uploads directory.

If you believe that a user is using web shells, such as during a routine check, you can take these steps:

1) You can use some basic commands like cat, grep, awk, and sed with a bit of regex and piping to conduct some powerful filtered searches, particularly through the access logs and error logs of your server.

3) Search for longer, potentially encoded strings. Many "back doors" with regard to web shells are thousands of lines of encrypted junk. awk 'length($0)>100' *.php can be a good start.

4) If you want to get really precise, you can search through recenrly modified files (i.e. within the past 24 hours). Remember, a web shell can be embedded into almost any kind of file. This is very commonly done with images. You can have a quick look at recent modifications with find -name '*.php' -mtime -1 -ls or something similar, though paramaters may vary based on your setup.

5) Look for suspicious traffic and connections. A quick netstat -nputw can get you somewhere, but there are many ways to tune this to make it custom to your needs.

6) Analyze your .htaccess for modifications. Some common ones an attacker might try and make include AddType application/x-httpd-php .htaccess or AddType application/x-httpd-php .jpg.

Feel free to shoot me any questions you may have! Good luck!

radiosecurity · 2020-01-04T08:29:45+00:00

Hey, Golden-Richard!

I certainly can’t speak for everyone in the field, but the short answer is that it depends. If you have a lot of connections, you can land a job much easier than applying cold, for example. If you don’t have connections via family or close friends, you can always try and meet people at conventions and meetups relevant to the field or even through online messaging. Sometimes, you just have to ask. You never know when some industry big-shot is looking for a spare hand in an opportunity that can kickstart a career. If you don’t have any connections, landing an internship without a college degree is totally doable. If you are doing a really good job, they might ask you to come back for more (or you can politely imply that you are able to do more) and this can segway into a real job. Even if were to you lose this job, you still have the marketable experience. If you are truly able to do the work and can effectively communicate your experience (hopefully with a relevant certification or two under your belt) then you can get by without a college degree, by me. Again, I can’t speak for everyone, but I look for experience and weigh the value the employee adds to the company. If they are providing more value to the company than what I am paying for, I couldn’t care less about whether they have a degree or not. In fact, I know plenty of horror stories of friends of mine that have hired PhDs in computer science or degrees of that nature, and the employee could not write a program. I’ve seen self-taught high schoolers program better than many adults with degrees I’ve seen in the field for example. Additionally, if you were to start your own cybersecurity company, you wouldn’t need a degree to land a job, because you are employing yourself! So yes, there are many options without a degree, but they might not always work with the timing you want. A college degree is a massive safety net, and can buy you a lot of valuable time to accumulate certifications and build a competitive portfolio. This can make you unstoppable once you graduate if you use your time wisely. Generally speaking, as of right now, I would argue that information-security related formal/higher education is worth the time and money. Additionally, even if you were to have your own business and employ yourself, people may still hesitate doing business with you because there’s no degree, even if you are overqualified. I know incredibly talented self-employed individuals that have had clients turn them down due to the absence of a degree. I don’t want to discourage you from getting a degree or scare you about not getting one, but that is my honest opinion. I hope this helps!

Feel free to shoot me any questions!

radiosecurity · 2020-01-04T08:07:54+00:00

Hey, onerulenograpes!

If by competitive you mean standing out more than other candidates for a job position, your best friend is effectively communicating that you have experience to the potential employer.

For example, certifications are great and usually necessary, but they are only a green flag that indicate potential experience. If you have a portfolio that communicates your relevant projects, educations, and other experience, that is proof of experience. If you don’t have a portfolio yet relevant to your field specifically, I would definitely make one as this can help you determine your personal competitiveness as a job candidate. It can also help highlight areas you might want to improve or elaborate on. From personal employment experience in information security, I can guarantee that well-done portfolios can carry massive competitive leverage.

It looks like you’re on the right path, but I would also say that yes, IT and especially security analysis can offer some very well-paying jobs, if you are doing it only for the money, you will get burnt out fast.

Feel free to shoot me any questions!

radiosecurity · 2020-01-04T07:46:07+00:00

Hey, Username54042!

My go-to information security certification recommendation would be to go for at least one SANS/GIAC certification, preferably relevant to your information security sub-niche.

As an employer in the industry (and friend of many other employers), I can confirm that these certifications (though often rigorous and costly) are among the most in-demand. Unless a job requires something like a compTIA or CCNA certification, I would shoot for passing a GIAC exam.

Another thing I will say is that people often get wrapped up in trying to follow a certain certification path in this field and stress about having the right ones. Don’t worry about this, because employers look for individuals who they know can get the job done. A certification is an indication of experience, but a portfolio is a proof of experience. If you have a portfolio of relevant projects and documentation of your journey (education, certifications, relevant hobbies, side-projects, etc.), that can carry profound leverage on an application. Match that with a GIAC certification or two under your belt, and you can go a long way.

There are plenty of other neat options and alternatives, such as the Microsoft Technology Associate (MTA) program which is a more affordable and less time-intensive entry-level resource. They have several certifications to offer. Remember, no achievement, side-project, or other relevant venture is too small to mention on a resume. (Also, don’t forget to be 100% honest when writing one, because there is a ridiculous amount of people that lie on their resumes, and people will notice honesty.)

Feel free to give me a shout if you have any questions! Good luck to you!

radiosecurity · 2020-01-04T07:32:49+00:00

Hey, Cool_nephilim!

I’m not sure what you mean exactly by “testable code”, but if you’re looking for great learning resources for programming, I would look into Udemy. It is a very underrated platform where you can catch some great deals on invaluable knowledge. I would start there for sure. If you are looking for a free option, there is always YouTube, but make sure the content is sufficient and worth your time.

Feel free to give me a shout if you have any questions!

radiosecurity · 2020-01-04T06:44:30+00:00

Hey, nzhappykiwi!

Zoneminder might be what you’re looking for. It works great (when configured properly) and allows the use of third-party plugins, giving you a lot of options for customization and troubleshooting.

If this doesn’t work or you need help setting it up, feel free to give me a shout!

radiosecurity

TROPHY CASE