Friday, June 29, 2018

阿希從衆實驗

近日與友人聊天時聊到阿希從眾實驗 (Asch conformity experiments),這個實驗發現了大多數的人會在群眾的壓力下盲從附和或改變自己的見解去跟從衆人的情況。

Asch conformity experiments






友人立即引述馬克吐溫的名句 :

Whenever you find yourself on the side of the majority, it is time to pause and reflect. -- Mark Twain

每當你發現自己和大多數人站在一邊,你就該停下來反思一下。 -- 馬克·吐溫

其後我領會到這句名句有另一方面的意思,就是如果發現了你自己在大多數人當中的時候,你應反思你是否停滯不前沒有進步?

參考連結

維基百科 - 阿希從衆實驗
Wikipedia - Asch conformity experiments


Monday, June 18, 2018

深度系統與優麒麟

深度系統與優麒麟都是國內知名由國內開發的 Linux 系統,她們各有特色,現在介紹一下。

深度系統 (Deepin Linux) 是由中國武漢深度科技公司基於 Debian 穩定版進行開發。其中的深度系統桌面環境 (DDE) 是深度科技公司的一個開源項目。

深度系統支援多國語言,其桌面環境設定簡單直覺,並沒有多餘的步驟。她備有自己的軟件庫,而當中的軟件是常用軟件,安裝和移除軟件簡單容易,只需一鍵點擊就可以了。微軟視窗系統的軟件大多可以在其中運行,因為這系統是專為用戶由視窗系統過渡到 Linux 而不能不使用微軟視窗的產品而設計的。她開機和關機都十分快速,唯一的不足之處是她並不支援全碟加密的設定。

優麒麟 (Ubuntu Kylin) 是由工信部軟件與集成電路促進中心和中國人民解放軍國防科技大學與 Ubuntu 的支援公司 Canonical 在北京聯合創立「CCN 開源軟件創新聯合實驗室」而開發的。其桌面環境是基於 MATE 的 UKUI。

優麒麟是專為國內用戶而設計,雖然她支援多國語言,但其專有的軟件庫是簡體中文介面的。她是為那些由微軟視窗轉到 Linux 又完全放棄視窗的用戶而設計的。在其軟件庫中,她會介紹有那些是微軟視窗軟件的代替品,非常體貼。她的 UKUI 用戶介面非常類似視窗介面,用戶是不會陌生的,但她百分之百是 Ubuntu。所有軟件是最新版本,而設定方面亦與 Ubuntu 一樣。

深度系統與優麒麟所面對的客戶群各有不同,目的都是為視窗用戶轉移到 Linux 而設計的,各有其優勢之處。如果大家有空的話,可以安裝深度系統和優麒麟,體驗一下其功能和設計。


深度系統
優麒麟


Sunday, June 17, 2018

For Want Of A Nail (只因少了一颗钉)

For Want of a Nail

For want of a nail the shoe was lost.
For want of a shoe the horse was lost.
For want of a horse the rider was lost.
For want of a rider the message was lost.
For want of a message the battle was lost.
For want of a battle the kingdom was lost.
And all for the want of a horseshoe-nail.

-- Benjamin Franklin


只因少了一颗钉

少了釘子,失了蹄鐵。
少了蹄鐵,失了戰馬。
少了戰馬,失了騎士。
少了騎士,失了情報。
少了情報,失了勝仗。
少了勝仗,失了王國。
這全因少了馬蹄鐵釘。

-- 佛萊登




See Also

The Butterfly Effect

In chaos theory, the butterfly effect is the sensitive dependence on initial conditions in which a small change in one state of a deterministic nonlinear system can result in large differences in a later state.

蝴蝶效應

蝴蝶效應 (Butterfly effect) 是指在一個動態系統中,初始條件下微小的變化能帶動整個系統的長期的巨大的連鎖反應,是一種混沌的現象。“蝴蝶效應”在混沌學中也常出現。


The Broken Windows Theory

The broken windows theory is a criminological theory that visible signs of crime, anti-social behavior and civil disorder create an urban environment that encourages further crime and disorder, including serious crimes. The theory thus suggests that policing methods that target minor crimes such as vandalism, public drinking and fare evasion help to create an atmosphere of order and lawfulness, thereby preventing more serious crimes.

破窗效應

破窗效應(英语:Broken windows theory)是犯罪學理論,由詹姆士·威爾遜及喬治·凱林(George L. Kelling)提出,刊載於《The Atlantic Monthly》1982年3月版的一篇題為《Broken Windows》的文章上,論及環境中的不良現象如果被放任存在,就會誘使人們仿效,甚至變本加厲。


Reference

Wikipedia - For Want of a Nail
维基百科 - 只因少了一颗钉
Wikipedia - Broken Windows Theory
维基百科 - 破窗效应
Wikipedia - Butterfly Effect
维基百科 - 蝴蝶效应


That's all! See you.


Thursday, June 14, 2018

Friday, June 08, 2018

家居網絡安全守則

鑑於近日發生了很多路由器和網絡儲存裝置被入侵的事故,我覺得有必要加強一下我們對家居網絡安全的知識。大部份人都是對網絡安全一知半解或者完全一竅不通的,所以我會用一些直接的方式去說明而避免了一些專業的用語。

路由器 (Router)

路由器有分有綫和無綫兩種,而大部份的家居路由器都是二合一的版本,即是有綫和無綫功能集於一身。

在設定路由器時,必須要更改路由器預設的密碼,更要有一個較強而複雜的密碼。

在設定路由器管理時,絕對不可以設定為可供遠端管理 (Remote Management) ,即是不可以在家以外的地方來遙控管理路由器。通常大部份的路由器預設遠端管理是啟動的。

在設定無綫路由器時應當設定為 WPA3 制式,如沒有的話至少要設定為 WPA2。至於加密方面,最好是 AES 並且至少要有十二位的密碼,而密碼方面就需要包括英文大小楷、數目字和標點符號。在本年底 WPA3 的路由器將會面世,在此時必須要設定為 WPA3 制式。

經常更新路由器韌體 (Firmware),若果官方一年或以上沒有發表路由器韌體更新或型號已經停產的話,就必須購買新一款的路由器替換。永遠要保持路由器的規格是最新的。

不要輕易開放埠 (Port),需要檢查一下有沒有埠是開放於互聯網中,例如埠 22 (SSH)、23 (Telnet)、80 (http)、443 (https) 或 8080 (proxy),如有發現的話,我強烈建議立即關閉這些埠在互聯網中開放,要注意的是有些路由器是預設開放的。

桌面電腦 (Desktop)

經常更新作業系統,保持其為最新版本。不要安裝或下載不明來歷的軟件,更不應使用侵權軟件或多媒體。要經常更新瀏覽器並且不要瀏覽不良網站或侵權網站。最好是安裝及啟動防火牆並且不可輕易開放埠 (Port) 。

如果是微軟視窗系統的話,一定要安裝防毒軟件。蘋果公司的 macOS 或 Linux 的話,可以考慮安裝防毒軟件。至於 Linux 更可以零成本加固的 (詳情可以參考我的博客)。

不可以繼續使用舊版本的作業系統 (Operating System),更不應使用已經停止支援和更新的作業系統。

網絡儲存裝置 (NAS)

若果有網絡儲存裝置的話,我絕對不贊成直接接駁到互聯網作遠端存取。如果必需要遠端存取的話,我強烈建議必須使用虛擬私人網絡 (VPN),並必須經常更新韌體。通常虛擬私人網絡都可以在比較貴價的路由中找到。

最後,祝大家安全地和暢快地在互聯網中衝浪!

Samiux
OSCE OSCP OSWP
二零一八年六月七日 中國香港



Home Network Security Rules

Recently, there are a lot of routers and network attached storage (NAS) devices infected by malware or being attacked. It is a high time to refresh our home network security knowledge.

Router

There are wired and wireless routers in the market. Home routers equipped both. We should change the default password of the router in the login control panel with strong and complicated password. It is not wise to let the router to be controlled remotely. It is better to disable this feature or function even it is enabled by default.

When setting wireless, it is recommended to set it to WPA3 when it is available in the end this year. If not, at least set it to WPA2 with AES encryption. Strong and complicated password should be set. Make sure uppercase and lowercase, numberic and symbols to be set for the password.

Update the router firmware when it is available and always keep it up-to-date. If you do not get the firmware update for more than a year from the vendor or the router has been phased out, you should purchase a new and modern one.

Make sure port 22 (ssh), 23 (telnet), 80 (http), 443 (https) and 8080 (proxy) are not opened or forwarded to the public in the router.

Desktop

Update your operating system often and keep it up-to-date. Do not install any pirate or unknown sourced software or multi-media. Make sure no port is opened to the public.

If you are using Microsoft Windows systems, it is recommended to install anti-virus program. You may consider to install anti-virus program on Apple macOS and Linux systems. Meanwhile, you can harden your linux system with no extra cost, for details please read my blog.

Never use a not up-to-date operating system especailly when there is no more support or it is already phased out.

Network Attached Storage (NAS)

Make sure update the firmware with the latest firmware often. I am not recommended to let your NAS to be accessed from the internet. I strongly recommended to do it via virtual private network (VPN) when necessary. Most expensive routers may equipped with VPN feature.

Finally, happy internet surfing!

Samiux
OSCE OSCP OSWP
June 7, 2018 Hong Kong, China


Wednesday, June 06, 2018

保衛橋頭堡

嚴格來說我身兼數職,我既是開源項目開發者、系統管理員、網絡滲透測試員、資訊科技安全硏究員、又是公司文員。我是一名資訊科技安全愛好者,擁有有關的專業認證,就是 OSCE,OSCP 及 OSWP。

我家裏有兩個網絡,一個是日常運作的網絡另一個是用作滲透測試和軟件測試之用。日常運作的網絡中有一台網頁伺服器,一台私人雲端檔案伺服器,一台虛擬系統伺服器,二台路由器和一台防禦入侵系統,網頁伺服器還有人工智能網頁防火牆。

我每日的例行工作是更新所有桌面系統及伺服器系統,閱讀有關資訊科技安全有關的新聞和硏究報告,開發資訊科技安全有關的開源軟件或系統,撰寫博客等,作為一個業餘的資訊科技安全人員來說真是工作煩多。

因為我有編程和資訊科技安全底子,所以我開發了一些資訊科技安全的開源項目,其中有防禦入侵系統 (Croissants,牛角麵包) 和人工智能網頁防火牆 (Longjing,龍井),它們都是由我自主硏發的。

我所開發的防禦入侵系統能夠防止已知具有惡意的網絡地址存取我的網絡、可以防止已知的惡意軟件的下載或存取、可以防止網絡掃描軟件向我的網絡進行掃描、可以防止一些已知的安全漏洞被利用、防止我瀏覽一些已知的惡意網站。它具有極低的延遲特性,可以讓我流暢地觀看 4K 視頻及玩綫上遊戲,而且所有防禦入侵的安全規則都是免費的,更兼容各大常用電腦和手機系統。在硬件上的要求並不算高,建設成本極低,具有效率高和防禦性強及經濟的特性。

至於網頁防火牆,它是一個深度學習的人工智能網頁防火牆,這是一個開源項目。它主要是防禦資料庫注入 (SQL Injection, SQLi) 的攻擊,但它亦能夠防禦跨站腳本 (Cross Site Scripting, XSS) 和一些較低危險性的攻擊,它更具有迷惑網站漏洞掃描器的能力。若果有惡意的黑客利用網站漏洞掃描器來掃描我的網站,他們的掃描器會回報極多的漏洞,但是這些漏洞完全都是誤報的,這樣那些惡意的黑客就會被我的網頁防火牆誤導而浪費了很多時間去對每一個誤報的漏洞來查證。這個人工智能網頁防火牆極易安裝和維護,雖然效率並不十分高但其偵測準確率達到九十九巴仙以上,這是十分不錯的。

就是因為這兩個由我自主硏發的開源項目的應用,我可以比較安心地處理其他的資安事項而無需時常要親力親為地監察我的網絡安全。雖然這個世界上沒有絕對安全的電腦系統 (No System Is Safe),但我的開源項目的確能夠分擔一些煩重的資安工作,這是非常理想的。再加上我在每一台 Linux 桌面系統及 Linux 伺服器都加固了,尤其是火狐瀏覽器,這樣我就更安心了。

我就是這樣保衛我的橋頭堡 - 網絡。



Bridgehead Defense

I am not only a clerk but also an open source project developer, system administrator, penetration tester, information security (infosec) researcher. I am an information security enthusiast with OSCE, OSCP and OSWP certificates.

I have two networks at home, one of them is for production and the other is for testing purpose. There are a web server, a private cloud server, a virtual machine hosting server, two routers, an intrusion detection and prevention system (IDPS) in the production network. Meanwhile, there is a web application firewall (WAF) for the web server too.

I update all my desktops and servers; read information security articles and research reports; developing infosec related open source projects and writing blog articles every day. It is a lot of work for a amateur information security guy indeed.

Since I have programming and infosec background, I develop some infosec related open source projects, such as IDPS (Croissants) and deep learning driven WAF (Longjing).

The IDPS prevents known IP addresses with malicious intention to access my network; it prevents known malware from being downloaded or accessed; it prevents my network from being scanned by vulnerability scanners; it prevents known vulnerabilities from being exploited; and it prevents me from accessing malicious web sites. Meanwhile, I can watch 4K video and play demanding online games due to the low latency of the IDPS. All the rules are free of charge and it is compatible with popular operating systems and smartphones. It is a low cost and high performance solution.

For the WAF, it is an open source deep learning driven WAF which is mainly designed for prevent the web application from being attacked by SQL Injection (SQLi). However, it also detects Cross Site Scripting (XSS) and other vulnerabilities too. It spoofs all the web application vulnerability scanners that causing it to produce a lot of false positive results. Malicious hackers will waste a lot of time to figure out what is happened. Although the WAF is not designed for performance, the SQLi detection rate is over 99%.

It is what my open source infosec projects implemented into my network for security purpose that allows me to do my researches and infosec projects development without worry. Although no system is safe, it helps me a lot for the network monitoring. Meanwhile, I also hardened all my Linux desktops and Linux servers and including browser - Firefox. As a result, I am feeling very good for that.

It is the story about my bridgehead defense - network.