Too soon?

FYI, log4j is a serious java security bug affecting everyone who uses Java programming language. See https://logging.apache.org/log4j/2.x/ for more info.

heh heh what if someone discovered a java vulnerability that allowed arbitrary code execution........... in minecraft

some of my partners are really busy dealing with this weird situation

Say how many now?

Top 5 DevOps Tools to quickly Jumpstart your DevOps Career

As companies are being digitized, the need for DevOps has increased at a tremendous rate. The future of IT companies is now dependent on the DevOps approach, making it the most demanding job at this time. The market has grown from 40–45 percent within the last five years, increasing the DevOps demand.

If you are believing that you have effectively missed the DevOps flight and presently no chance exist for new applicants, I am glad to let you know that you still have time and also a lot of scope to make a rewarding career into the DevOps domain.

Here I reveal Top Five tools that you need to ace to pursue a DevOps engineer career.

These are the five tools that you will be using daily, and you need to have the knowledge on how to work on them, which includes both hands-on knowledge and also theoretical knowledge. But mostly having hands-on experience is very important.

So, whenever you get the job, you can sit and work on these tools to prove yourself.

The very first tool I would say would be.

DevOps tool #1: Jira

Jira is commonly used by businesses and companies all around the world.

It is a complete Project Management tool in which you can distribute your workflows and workloads within projects and within teams.

Also, in Jira you can have different kinds of tickets, issues, epics stories and different tasks that are assigned to different team members and different teams regarding their own specific projects. It is a simple and easy to learn tool.

So, I would say, for a DevOps Engineer position you should know how to use Jira.

Now the second tool on this list would be

 

#2: Git or GitHub

GitHub is a commonly known repository tool, many companies use it for the repositories to store and version control their code.

In GitHub you have an option to either make your repositories public, or you can keep them private.  It totally depends on your company’s policies. If your organization decides to make the repository public, the code stays on cloud. Otherwise for private repositories, GitHub Enterprise needs to be setup by the organization on one of their data centers.

I would say GitHub is a really good tool that you should know how to use. Especially you need to know,

How To

Create New Repository

Store code in the repository

Clone the code on your local machine

Make changes in your local copy

Create Pull Requests and push the code to the remote repository after code reviews.

You also need to know all the basic Git commands like

Git status

Git add

Git commit

Git Push

Git Pull

Git Fetch

So, these are some basic git commands that you need to know.

For example,

Scenario 1: If you want to fetch a repository from GitHub to your local machine how would you

do that?

Scenario 2: If you want to push your local code to remote GitHub repository, how would you do that?

Apart from these, there are other important things in GitHub that are worth practicing like Web Hooks etc.,

These kind of basic activities in GitHub and ability to nonchalantly run the git commands on the terminal would be must for you to survive in a DevOps Engineer role.

So, moving on to the third tool in this list.

#3: Any Cloud Platform

It can be MS Azure or AWS or GCP or RedHat Open Shift etc.,

You have a variety of cloud platforms to choose from. But you should completely focus on one. Simply

start gaining hands-on experience on it.

Personally, I have learned AWS. I also have AWS certification as an Associate Solution Architect in AWS. The certification itself demands hands-on experience on AWS and that will be thoroughly tested in the certification exam.

Also, my current position as a DevOps engineer. I have mostly worked on AWS, along with Containerization, Orchestration, Continuous Integration and Continuous Delivery (CI/CD). Also having hands-on experience on Storage and database is a must.

Having experience and thorough knowledge on at least one cloud provider is a must for a DevOps Engineer currently. Although, I personally recommend AWS, you can choose any provider that you can get your hands on.

Moving on to the fourth one, which is Jenkins.

#4: Jenkins

Jenkins is a CI tool which is Continuous Integration tool.

You can integrate it with AWS (or any cloud platform), GitHub, and many other tools to achieve CI/CD pipeline. Therefore, as a DevOps Engineer you need to at least know

How to use Jenkins

How to create jobs in Jenkins

How to create builds on Jenkins

How to integrate it with AWS or even GitHub

So, with Jenkins you can create Continuous Integration Continuous Delivery (CI/CD) pipelines

for your business. So, once the developer pushes the code to GitHub repository, the pipeline job is automatically trigger through Jenkins and it updates your application.

Jenkins is a great tool to learn. Although, it is easy to learn and master Jenkins, it is a very critical tool for any organization to practice DevOps. Therefore, you should dedicate a major amount of time and effort in learning and mastering this tool.

Now, the fifth tool on this list would be any Containerization tool which can be Docker in conjunction with Kubernetes.

#5: Docker and Kubernetes

As you might already know containerization is growing rapidly throughout the cloud platform and DevOps world.

Docker makes it easy to deploy your app or Microservice on Cloud.

Kubernetes makes it easier to deploy your app on hundreds of servers.

Besides Docker, if there is another tool or technology which has caught software developers’ attention in recent times then it must be Kubernetes.

Docker also helps with DevOps because it simplifies deployment and scaling, and that’s why Every DevOps engineer should learn Docker.

Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation.

So that is it, get to know these tools, have your hands on them, get your hands wet, run into issues, resolve those issues and master these tools to land into your DevOps Engineer job.

For a complete guide on starting your career as a DevOps Engineer. Click here and enter your name and email to download the eBook ‘Guided path to DevOps career’.

All Clear: Log4j Vulnerability Does Not Affect Gyazo and Other Services by Nota

We're happy to share that all web services provided by Nota including Gyazo, Scrapbox, and Helpfeel are not affected by the recent Apache Log4j vulnerability (CVE-2021-44228).

Essentially, this is a critical vulnerability in a tool used to log data by many web sites. It has a high potential for abuse when sites are not updated and secured.

In the case of Nota, we wanted to let you know that we have confirmed none of our services are affected by this vulnerability. Keep reading to learn more about each of our service's status and to get information from official sources about the vulnerability.

All three of our services have some integration with each other, so we're letting you know about all three.

Gyazo

Some middleware (a type of internal feature) used in the service had a dependency on Apache Log4j, but we have confirmed that it is not affected by the vulnerability.

In addition, the various Gyazo clients such as Gyazo for Windows, Gyazo for iOS, etc. do not use Apache Log4j and are not affected by the vulnerability.

Scrapbox

Again, some middleware used in the service itself had a dependency on Apache Log4j, but we have confirmed that it is not affected by the vulnerability.

Helpfeel

This vulnerability does not affect Helpfeel because it does not use Apache Log4j.

Learn more

For technical information about the Log4j vulnerability CVE-2021-44228, please refer to the following official sources:

US CISA log4j vulnerability guidance

Apache Log4j vulnerability information page

US NVD technical advisory

If there are any updates in the future, we will update this article with more information. If you would like to read more about Gyazo security, please check out the article here: Is Gyazo Safe? Yes and here is 7 reasons why.

Going to make some aromatherapy dinosaurs for my dad to help manage his stress during this time

CVE-2021-44228 - Remediation in ElasticSearch

CVE-2021-44228 – Remediation in ElasticSearch

Problem Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution. Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects by default served on the local host.[4] The challenge is that you have an ElasticSearch Cluster that needs to be…

View On WordPress

https://bit.ly/45gJemi - 🏛️ The House Committee on Homeland Security has advanced five bipartisan bills aiming to enhance the nation's cybersecurity, combat the use of drones from adversaries like China, streamline DHS' approach to countering weapons of mass destruction, and support first responders. This move signals the committee's robust and bipartisan efforts to address key challenges within homeland security. #CyberSecurity #HomelandSecurity 📊 A highlight of this progression is Chairman Green's 'Securing Open Source Software Act of 2023'. The bill was introduced in response to security issues raised during the Log4j vulnerability disclosure and will address similar risks associated with other open-source software components. #SecuringOpenSource #Log4j 🌐 Chairman Green emphasized the importance of these efforts in mitigating the risk of sensitive data falling into the hands of adversarial nations, ensuring a coordinated response to threats, and managing risks associated with the use of open-source software - a crucial component of our digital ecosystem. #DataProtection #DigitalSecurity 📜 The bills passed by the Committee include: 1️⃣ H.R. 3286, 'The Securing Open Source Software Act of 2023', by Chairman Mark E. Green (R-TN) #OpenSourceAct 2️⃣ H.R. 1501, 'The Unmanned Aerial Security Act', by Rep. Michael Guest (R-MS) #UnmannedAerialAct 3️⃣ H.R. 3224, 'The Countering Weapons of Mass Destruction Extension Act of 2023', by Rep. Anthony D’Esposito (R-NY) #WMDAct 4️⃣ H.R. 3208, 'The DHS Cybersecurity On-the-Job Training Program Act', by Rep. Sheila Jackson Lee (D-TX) #CyberTrainingAct 5️⃣ H.R. 3254, 'The First Responder Access to Innovative Technologies Act', by Rep. Donald Payne (D-NJ) #FirstResponderAct These advancements affirm the Committee's commitment to strategically addressing pressing issues facing homeland security.

NSA Outs Chinese Hackers Exploiting Citrix Zero-Day

NSA Outs Chinese Hackers Exploiting Citrix Zero-Day

Home › Cyberwarfare NSA Outs Chinese Hackers Exploiting Citrix Zero-Day By Ryan Naraine on December 13, 2022 Tweet Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that a Chinese hacking group has already been caught exploiting the vulnerability. Citrix sounded the alarm via a critical-severity…

View On WordPress

A remote code execution (RCE) vulnerability(CVE-2021-22941) affecting Citrix ShareFile Storage Zones Controller, was used by Prophet Spider to attack a Microsoft Internet Information Services (IIS) web server. The attacker took advantage of the flaw to launch a WebShell that allowed the download of further tools.

Prophet Spider also exploits known Log4j vulnerabilities in VMware Horizon (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832). Prophet Spider most typically used encoded PowerShell instructions to download a second-stage payload to the targeted PCs after exploiting the vulnerabilities. The specifics of that payload are determined by the attacker’s motivations and aims, such as crypto mining, ransomware, and extortion.

Weekly output: LinkNYC, Google renews RCS plea, Chris Krebs at Black Hat, 5G explainer, Cyber Safety Review Board, Web3 security

Weekly output: LinkNYC, Google renews RCS plea, Chris Krebs at Black Hat, 5G explainer, Cyber Safety Review Board, Web3 security

After a week on the West Coast, including four days in Las Vegas for the Black Hat security conference, I now have two weeks of not going anywhere. Which is good! 8/8/2022: LinkNYC begins deploying 5G kiosks – but not yet with 5G inside, Light Reading After too many months of not writing for this telecom trade-pub client, I filed this update on New York rebooting its LinkNYC effort to bring free…

View On WordPress

December 2021 and Log4J seems like ages ago, right? Well, there's still lessons to be learned and work to be done.

I'm digging the recent CSRB review/document covering Log4J. Link above.

Got log4j?

US Cyber Safety Review Board: Log4j Will be an Issue for Years to Come...

The US Department of Homeland Security’s (DHS) Cyber Safety Review Board (CSRB) has determined that the Log4j vulnerabilities are going to pose a risk for at least a decade. CSRB’s report, Review of the December 2021 Log4j Event, includes recommendations for user to help mitigate the risks.

www.cisa.gov: Review of the December 2021 Log4j Event (PDF)