Hosting a static website with Azure

Whilst this might show my age a little, when I first set up a personal website one of the biggest challenges I faced was finding reliable low cost hosting. Many may remember hosting on “free” providers which would sneak in advertising content, whilst others would have periods of unannounced downtime or flaky upload services.

After a while, I figured the only way to host a site was to pay for the service and, with most of the free providers going away anyway, I bought up the space I needed but with creeping costs for a site I rarely used I eventually gave up doing anything much with the few domain names I kept around (largely because I had email accounts that I wanted to keep!). But a few years ago I discovered I could easily host my site entirely for free* on Microsoft Azure – and they’ve actually continued to make it easier (albeit perhaps somewhat confusingly documented!) with various improvements to the platform – so this post is all about how to get started with hosting a simple (static) site on Azure for free!

*Free, of course, is subject to some usage restrictions – not a challenge I’d like face as I noted here, but if you’re doing the same it’s worth reviewing the charging model for blob storage

NB: For the time being, I’m setting this up as a HTTP site – not HTTPS – I’ll talk about enabling HTTPS in a future post!

Setup storage for your site

1. First thing we need is to create some storage with Azure – Log into the Azure Portal and click on Storage Accounts.

2. Click on Add and then enter in a suitable Subscription, Resource Group name, Storage Account Name and Location. You can check out the various other options available, but for my purposes I found the rest of the defaults on this page just fine!

3. Click on Advanced and set the Secure Transfer Required to Disabled (for HTTP access, rather than HTTPS)

4. Click on Review + Create

5. Once it’s complete, you have your storage all set up and ready to go.

Setup your site

1. Go to your Storage Store (created in the previous section) and click on Static Website (under Settings)
2. Click Enable, and make a note of the settings here, we’ll need them later – the most important part is the Index document name (that’s our default page that you’ll be serving up) and the Primary Endpoint (which we’ll use for our cname creation process below).

3. Click Save

4. Once that’s set, we can upload our site – there’s various ways to do this, but perhaps the simplest is to use the Storage Explorer preview – if you click on this and expand your BLOB CONTAINERS you’ll find a new path called $web (the eagle eyed amongst you will have spotted that’s the page mentioned when you set up the state website). You can simply use the upload button to upload the relevant content – including any images, files, etc you want – just make sure you have a page that matches with your index document name (index.html in step 2 above!).

5. With that done, your website is live! But you’ll only be able to access it on the address described as the Primary Endpoint above (although now is a good time to test it out! Next, we’ll set up a CNAME so you can map your own address/

Setup your DNS

This activity has two activities wrapped up into one – one to verify the URL for Azure services (to prove you aren’t just abusing the service) and another that actually sets the desired cname!

1. I’m going to give examples from 123-Reg.co.uk, but other providers will offer similar features – we want to create a CNAME to the Azure storage. So I’ve logged into 123-Reg.co.uk and gone to Manage your DNS and gone to the Advanced DNS section
2. We want to create a verification cname first – this should be asverify.SUBDOMAIN – e.g. if I wanted to have my website on myweb.mydomain.com my subdomain would be myweb and the cname hostname would be asverify.myweb.
   In the screenshot below you can see (the top entry) my asverify for www.mydomain.com.
   This entry in turn should have a destination/target that is the address from the previous section called Primary Endpoint – with asverify in front again – e.g. if your Primary Endpoint was called https://storageaccountname.z22.web.core.windows.net you would set your destination/target value to be asverify.storageaccountname.z22.web.core.windows.net

3. Finally, I’m going to create my “final” CNAME – I create a second CNAME with simply www as the DNS entry, and the destination / target as the storage url – e.g. storageaccountname.z22.web.core.windows.net

Link your CNAME

1. In Azure, go to your Storage Account, and, from the menu bar on the left, select Custom Domain (it’s under Blob Service):
   

2. Set your domain name including your subdomain value – note that this time this is the actual subdomain you want to use, not including the “asverify” prefix – e.g.

3. Ensure you check the box to use indirect CNAME validation.

4. Click Save

And that should be you – live!

Exploring the Tripwire IP360 API with Python 3

I’ve been busy re-familiarizing myself with Python now that Python 3 has tweaked the syntax just enough that I kept getting frustrated that I had to double check my syntax! At the same time, Tripwire has added some great new functionality in the REST API for Tripwire IP360, the Vulnerability Management solution, and it seemed natural to start building up a repository of useful scripts exploring and leveraging the Tripwire IP360 API as a result.

Getting Started

So let’s get start with some simple functionality – logging in and getting some basic data out of the API.

First off, there’s a few useful imports we’ll end up using (I think this will cover all of my goals so whilst I may not use all these features in this post, we’ll likely come back and use these in time!):

#-*- coding: utf-8 -*-
"""
@author: Chris Hudson
"""

"""
DEPENDENCIES:
"""

""" Required for sys calls such as exit() """
import sys

""" Required to do all HTTP request calls to the API: Run 'pip install requests' to add this to your Python installation. """
import requests
import urllib3

""" Not explicitly required, but definitely polite to be able to not echo password input from the user. """
import getpass

""" Required to confirm server hostname exists and is resolveable and validate IP's"""
import socket,struct

""" Required to pull SSL certs down from the TE console """
#import ssl

""" Required to decode and display content of SSL certs for verification """
#import OpenSSL


import json

OK, now we have our pre-reqs in place, I’m going to define some variables we’ll use for our connection for our testing – of course, you’ll want these to to reflect your IP360 instance. Note that I’m taking the IP360 host and creating a new string with the full URL for the REST API – “https://”+IP360HOST+”/rest/v1”

"""
GLOBAL VARIABLES:
"""
# These are the static parameters needed for the IP360 environment connection
IP360HOST="192.168.0.72"
IP360USERNAME="ip360@tripwire.com"
IP360PASS="Tripwire"
IP360BASEURL="https://"+IP360HOST+"/rest/v1"

With our variables and imports done, I can get ready to connect. My lab environment is using a self-signed cert (I replace it regularly, although I do realise that’s no excuse for not using a proper cert!) – to handle the SSL errors I’ll use the following:

"""
BEGIN CODE:
"""


# Set up Session() to not show warnings/errors for the self-signed cert
session = requests.Session()
session.verify = False
urllib3.disable_warnings()
session.headers.update({
    "accept": "application/json, text/plain",
    "X-Requested-With": "required"
})

OK – let’s try getting some data! The following code snippets will gather users, networks, scan profiles and scan configs – some of the most common things you’d be interested in gathering:

# Get users
response = session.get(url="%s/users" % (IP360BASEURL), auth=(IP360USERNAME, IP360PASS))
response.connection.close()

# Get networks
networks = session.get(url="%s/networks" % (IP360BASEURL), auth=(IP360USERNAME, IP360PASS))
networks.connection.close()

# Get Scan Profiles
profiles = session.get(url="%s/scan_profiles" % (IP360BASEURL), auth=(IP360USERNAME, IP360PASS))
profiles.connection.close()

# Get Scan Configs
configs = session.get(url="%s/scan_configs" % (IP360BASEURL), auth=(IP360USERNAME, IP360PASS))
configs.connection.close()

And that’s it – let’s leave it for today – I’ll be back with more soon!

Building a habit tracking to-do app on Azure (part 2) – Design Thoughts

Having decided on the platform I want to use yesterday and having a few ideas on possible approaches I started sketching out some rough ideas that I hoped would help me to build my app.

First off, I wanted to consider my inputs – effectively my to-do list tracker would need to track to-dos, but what details did I need to create to-do?

• An ID – something for the application internally to track, but probably something I’d expose in my early builds so I can test (deletions, insertions, etc)
• A name – this ideally should have a short name so it was easy to present graphically.
• A detailed description – this would
• A deadline date – unlike traditional don’t break the chain style objectives, I also wanted to track shorter term habits and projects (something I couldn’t see any other apps doing) – so I wanted to add an option deadline date.
• A start date/create date – this made sense since I had a deadline date, it meant I could track days on a task, as well as “missed days” over the period. I’d default it the date the task was created – I’m not too sure if I want to allow for user editing of this as it would complicate things!
• I wanted a category field (this would help me group and possibly assist with visualising tasks).
• A deleted field (another internal field for tracking if an entry is removed)
• A completed field (the final internal field, based on the progress of a task being marked as “closed-out”)

Each day, I’d want to track progress on a to-do, so I wanted an update to include:

• Date of the update (so I can track the chain’s entry).
• A notes field (to add any comments)
• Scheduled “next day” (to allow for weekend breaks, etc) or a recurrence schedule (this might be easier from a user perspective to input for week day only tasks, etc). This would also be used to define a reminder for the task
• A “close-out”

I didn’t want to overly complicate the input requirements (again, the name of the game was to keep user “friction” to a minimum). So with that “basic” data structure in place (when I’m planning my DB I expect to split some of this into separate tables for example, as well as whether or not the task was the best place to store the “next day” data) I was free to think about how best to “input” this data. I had a few options here:

1. A form – the most simple format – just each field set one after another, with the user able to move from field to field.
2. A chat style interface – effectively wrapping the form in a “back and forth” interaction – this had the benefit of being “pleasant” to work with, but perhaps didn’t offer much flexibility and also may suffer from the issue that other “chat” apps suffer from by setting expectations of a more natural flow than chat bots can currently allow (especially in this case, since there’s no real intelligence at play). One benefit this did offer though, was a static order and requirement list (no way to skip past a stage, and, since in almost all cases, I’d be wanted to force most fields to be filled in, this is pretty tempting).

Without wanting to turn this in to a bigger piece about HCI, it always surprises me that “data entry” has never really gotten much smarter. When I think of data entry there really are only a few options universal used:

1. Serial form entry -chat like interfaces, presenting only one field to fill in at a time, although some may allow for “hidden” responses (as seen in Google Assistant interactions for example)
2. Non-serial form entry – present the full form, allow the user to move around as need be, but typically expect it to be process from top to bottom, left to right.
3. Tabular data entry – presenting data entry fields “over a grid” as seen in Excel
4. Completely free-form – e.g. a graphics package’s or Word Processor’s data entry (especially with MS Word’s ability to dynamically tab to the area a user might click to start data entry).
5. Navigable options – use space (move left, right, up, down, etc) to select a input options (as seen in Arcade game hi-score tables, etc).

It’s interesting no other inputs have been discovered. Sure, we can wrap different UI’s and metaphor’s around these (and, some would rightly argue that the above options really are close to a spectrum rather than discrete input forms in many cases) but ultimately even cutting edge voice assistants still have the same communication bottlenecks for data input.

With this in mind, my plan is to start some mockups designs as my next step – I’ll update shortly with my thoughts and design steps soon!

 

Building a to-do app on Azure

It’s the new year and many of us are making new year’s resolutions to do something new so I figured I’d try the same thing – starting with a new project to build a to-do list app that tracks and encourages my progress. Based on the (very popular at the moment) “don’t break the chain” method (or, the Seinfeld method) of making sure you always add an entry indicating that you’re keeping on track (whether that’s by doing something or not doing something is up to you), my intention is to build the app in the open, sharing my code, method, and thoughts as I go.

So, with that in mind, where did I start? Well a few decisions needed to be made:

• Platform(s): This one was easy – web. I hesitated for a brief moment, thinking about building an Android app (since I haven’t built one in years) but then I remembered that for some of the things I wanted to track progress for (updating my blog for example!) I’d already be on my PC. A web app would give me the option of updating my to-do list on whatever platform I wanted, reducing friction which, I hoped, would encourage me (and other users) to stick with it.
• Back-end: I knew I wanted to use a “modern” DB (I’ve spent a lot of time working with MySQL and MS-SQL over the years, but rarely looked into newer options) – MongoDB looks like the winner at the moment. Node.JS was a no-brainer again for the same reason as MongoDB – a modern platform that would be useful to learn!
• Front-end: I wanted to use a modern web framework for my front end – again, I’ve been building websites for years, but rarely dove into the world of modern frameworks to simplify set up… at the moment Angular is looking highly likely as my choice (since it’s often used in my day job too!).

With those out of the way (at least for now), I wanted to start thinking about what I wanted my app to be like. I know that the market place is already filled with similar ideas- some of which I liked, some of which I wasn’t so keen on:

• I’d used https://chains.cc/ in the past, but eventually lost interest- it failed to keep my attention, and was clunky on mobile.
• Day by Day on Android (https://play.google.com/store/apps/details?id=com.leoncvlt.daybyday) and found it effective, if rather simplistic. Unfortunately, one day it decided just to break, losing all my progress so I quit!
• Loop Habit Tracker – https://play.google.com/store/apps/details?id=org.isoron.uhabits – I’d seen, but not tried – this seems like a nice little app. It also made me think about creating a simple “widget” (or button press, perhaps using some puck.js I have lying around) to add to my tally easily.
• Habitica (https://habitica.com/static/home) also tempted me for a brief period – but was overly complicated for my liking – I wanted something that would be quick to enter data into and didn’t require much thinking about- Habitica is definitely a neat solution, but not the right fit for me.
• Habitbull (http://www.habitbull.com/) also tempted me but failed to keep my interest for long – I knew I needed something more to keep my interest than just trying to keep my score close to 100 to motivate me.
• I also did a very quick google image search (!) for The Seinfeld method. I know this may appear like a some what random approach to market research, but a Google Image search sometimes lets you quickly spot novel approaches to the problem area that you hadn’t considered before… but in this case, it largely revealed “manual methods” (paper versions) – I travel a lot, so big wall calendars don’t do me much good (in fact, I’ve ended up making it an excuse not to engage with it), I’m not a big fan of potentially messy things (which I fear this would become) and… I want to build an app!

With that in mind, I had a couple of ideas in mind:

• A “chat based” app, that framed your daily entries as conversations with an encouraging “coach”, sending you “messages” to see how you’re getting on with a goal
• A more visual based approach, putting building blocks together to construct something in order to drive me to keep my progress going
• A game-ified style approach, that involved a simple narrative (to collect something, like spells, parts to a car engine, etc) that would reveal something new to me each day (and, in order to keep this interesting, it would have to reveal something I hadn’t seen before)
• Or, as an alternative to the initial game-ified approach noted above, I debated a literal game portal, that unlocked new games or stories each day as a reward for completing jobs. This seemed like an impossible option to achieve (to build the content) until I realised I could “feed” it my Pocket Backlog, Amazon wishlist, itch.io wishlist, etc so I could literally reward myself for my work.

I liked all of these ideas so I decided my next step would be to sketch out what each would look like as hand-drawn prototypes tomorrow and see which appealed to me.

Free transfer of playlists from Google Play Music to Spotify…

After a lot of soul searching, I decide that I would try out Spotify after being a long term Google Play Music user. My motivation was simple- I was being mocked for my Amazon Echo’s playlist being absolutely awful! Since most of my music lived in Google Play Music and there’s no support (and unlikely to be given Amazon’s recent tiffs with Google) for Alexa controlled playback, I figured I’d tried the other big player (and no, that’s definitely not Amazon Music!).

I figured it would be possible to move my playlists, thumbs up-ed tracks easily enough but Google are kind enough to make selecting all the items on a playlist not possible so I started a web hunt… and found I’d have to pay for the pleasure. I don’t mind this as a business, but since I only have 200-300 items in total paying £10 pound (or more!) to move this seemed a bit over kill – especially since it would be a single run operation. Fortunately I did find a way:

Starting with gmusic-playlist.js

1. Grab chrome: tampermonkey extension
2. Open the gmusic-playlist.user.js script in your browser and click the install button (https://github.com/soulfx/gmusic-playlist.js/)
3. Open Google Play Music and click on the menu (top left)
4. Chose Export Playlists to generate a CSV…

Then use Playlist Convertor…

1. Take your CSV file and import it to http://www.playlist-converter.net/#/
2. Press convert and, once authorised, your playlists will be built

Easy enough with the right tools!

API’s for fun and data! Tripwire IP360

The following is a tutorial I put together to take you through the process of connecting to Tripwire’s vulnerability and exposure (VnE) virtual appliance API using Python 3, capturing vulnerability scanning data and then outputting it graphically using another web service, plot.ly.

Pre-requisites

To follow through with the following exercises you’ll need:

• An IP360 VnE virtual machine – ideally this should already have completed a scan with some data in order to provide sample data to work with (many of the examples may result in errors otherwise!).
• A machine with Python (version 3.x or greater) installed and internet access.

About IP360

Tripwire IP360 is Tripwire’s vulnerability detection tool and helps gather information about networks (what devices there are, what network address they have), how devices are configured (what applications are detected on the devices) alongside the vulnerabilities that exist on the devices.

Scanning with IP360

IP360 has two components- a Vulnerability and Exposure (VnE) Manager and Device Profiler’s (DP). The VnE directs the DP to carry out scanning on a periodic (or on demand basis) based on the settings configured on the VnE Manager.

Key Ip360 Configuration Parameters

For the purposes of this exercise we’ll touch on four of the key configuration components of IP360:

• Networks
• Scan Profiles
• Scheduled Scans
• Scan Results

Working with IP360

All of the settings noted in the previous section can be configured in the web interface. Each configuration component has its own “widget” to manage:

You can modify (or review the settings) of any component by putting a check mark against one of the items and clicking edit:

About the IP360 API

The API included with Tripwire IP360 enables users to programmatically command and control the functionality of Tripwire IP360 through the use of scripts. By using scripts, you can remotely control Tripwire IP360 and integrate it with third-party products. Programmers can take the next step and wrap those scripts in their desired code to create a useful procedure batch to be run according to their own timing and usage goals. Tripwire IP360 functionality is available through the API just like it is through the user interface, and is limited only by the availability of API calls corresponding to those functions.

API Supporting Documentation

There is supporting documentation for the IP360 API available directly from the VnE web interface on https://VNEIP/documentation/admin/Default_Left.html (replacing VNEIP with the address used by the VNE). Additionally there is a helpful utility built into IP360 to test API functionality: https://vneIP/APIExplorer.html#

In the following activities we will connect to the IP360 API and capture some data out from a recent vulnerability scan. The following examples will use Microsoft Visual Studio Code a free IDE available on multiple platforms but you can follow along in your preferred IDE if you wish!

Activity- Setting Up your IDE (Visual Studio Code)

1. Install Python 3.6.4 from https://www.python.org/downloads/ and install using the default options.
2. Visit https://code.visualstudio.com/download to download the relevant version of Visual Studio Code and install using the default options
3. Install the Python extension for Visual Studio Code from https://marketplace.visualstudio.com/items?itemName=ms-python.python
4. Launch Visual Studio Code.
5. Select your Python version From within VS Code, select a version of Python using the Python: Select Interpreter command on the Command Palette (Ctrl+Shift+P), or by using the Select Python Environment option on the Status Bar if available.

The command presents a list of available interpreters that VS Code can find automatically and should allow you to select the Python version you installed in the first step.

Activity- Connecting to IP360 and Getting Information

1. Create a new folder for your work, and open this in Visual Studio Code:

1. Create a new python file by clicking on your folder name and entering a filename ending in py (ip360.py).

1. To test your IDE you can run a simple print introduction with:

# IP360 API Tutorial Example Script

msg = "IP360 API Example"

print(msg)

4. We can then quickly run this with the following command at the debug console:

python3 ip360.py

5. Next we can start setting up our connection to IP360. First, we’ll create variables representing the username, password and network IP address of the VNE:

USERNAME = "ip360@tripwire.com"

PASSWORD = "Tripwire"

VNEADDRESS = "192.168.0.58"

6. Then we’ll import the relevant modules:

import xmlrpclib

import ssl

7. Since we aren’t using a trusted SSL certificate (see https://www.digicert.com/ssl-support/certificate-not-trusted-error.htm for more information about certificates) we need to tell Python to ignore the SSL certificate during our test script setup:

try:

    _create_unverified_https_context = ssl._create_unverified_context

except AttributeError:

    # Legacy Python that doesn't verify HTTPS certificates by default

    pass

else:

    # Handle target environment that doesn't support HTTPS verification

    ssl._create_default_https_context = _create_unverified_https_context

8. Next we’ll test our connection – we’ll create a serverproxy for the API to make it easier to interact with:

server = xmlrpclib.ServerProxy("https://"+VNEADDRESS+"/api2xmlrpc")

9. Then we can store the resulting sessionID (which we can use for later interactions with the API) by passing our username and password:

sessionID = server.login(2,0,USERNAME,PASSWORD)

10. Next we can make a call to the API. We’ll do a request against the getUserObject

result = server.call(sessionID, "SESSION", "getUserObject",{})

11. And print the results:

print "My user object is %s" % (result)

The resulting output should look something like the below:

About- Getting More data

Let’s have a closer look at how to request different data from the VnE. The server.call takes several parameters –

• a sessionid which we use to identify ourselves to the device.
• a class to call to get the relevant data,
• a method to get the relevant
• and finally, a parameters list (so far we’ve just used blank values).

Let’s look at another simple call- retrieving version information:

version = server.call(sessionID, "class.VNE", "getVersionInfo",{})
print "VnE version information is %s" % (version)

Our server.call is very similar to the one we used to retrieve our user object information – except this time we have a new class (class.VNE) and method (getVersionInfo). If you’re not too sure what Class and Method options you have, you can have a look in the Help for IP360’s API:

Alternatively, you can use the API Explorer to look at what the Request XML was:

In the API Explorer when you run a search you can click on the Show Request XML

to give you a window with the request XML used by the Explorer utility- in here you can see the class and method called:

Activity- Getting more data

We’re going to build on our simple examples from the previous steps to get more information- let’s start with getting the most recent audit (scan) that occurred on the network:

audit = server.call(sessionID, "class.Audit", "fetch", {'limit' : 1, 'sortBy' : 'id', 'sortOrder' : 'descending'})
print audit

For my test system I get back the audit id of 4. Now we have an audit, we can check what hosts where scanned as part of that audit:

hosts = server.call(sessionID, "class.Host", "fetch",{'query' : 'audit = \'%s\'' % audit})

print hosts

This gives me a list of hosts…

but not a lot else, so let’s use that data to get more info. First, we need to know what attributes we’re trying to get data for so we ask the Class.Host for an attribute list with the method getAttributes:

attributes = server.call(sessionID, "class.Host", "getAttributes", {})

print "Attributes for a host includes:"

print attributes

giving us:

Attributes for a host includes:

['audit', 'customScore', 'customer', 'domainName', 'hostScore', 'id', 'ifaceMacAddress', 'ipAddress', 'macAddress', 'name', 'netbiosName', 'network', 'os', 'osFprint', 'portSignature', 'tarpit', 'timeStamp', 'vulnerabilities']

OK, now we know what all our attributes are, we can ask for each of these

# Let's pick a single host to test with for now:

host = "Host.30"

and ask for each of the host’s attributes with a for loop working through each (attrib) in attributes:

print "Host details"

for attrib in attributes:

    hostdetail = server.call(sessionID, host, "getAttribute", {'attribute': a, })

    print attrib + ":"
     print hostdetail

Now we’ve got some interesting data like how well it’s scored, what it’s address is, etc.:

hostScore:

565

netbiosName:

network:

Network.2

os:

OS.20

osFprint:

/

portSignature:

126530483294762351

tarpit:

False

timeStamp:

1517330219

vulnerabilities:

2

What if we wanted to get all the IP addresses and scores for ALL the hosts- well we can do that with another for loop

OK, how about getting the IP and scores for all the hosts?

for h in hosts:

    #Get the host IP

    hostIPaddress = server.call(sessionID, h, "getAttribute", {'attribute':'ipAddress'})

    # And it's score

    hostScore = server.call(sessionID, h, "getAttribute", {'attribute':'hostScore'})

    # Print them

    print "Host: " + hostIPaddress + " scored: "

    print hostScore

Now I have some IP’s and scores:

Host: 192.168.12.250 scored:

12282

Host: 192.168.12.99 scored:

36429

Host: 192.168.12.101 scored:

0

(Optional) Activity- Getting Even More data

From the examples in the previous section you can see how we can get some score data that we’ll use later in our integration example, but there’s much more data in the API you might be interested- have a look at the example below that shows the vulnerability details for all the detected vulnerabilities (so you can see the port, protocols, and details from your scanning:

# Carrying on from before, and now we have some hosts, let's get some vuln results

vulns = server.call(sessionID, "class.VulnResult","search",{'query' : 'host = \'%s\'' % host})

print vulns

# Not very interesting - we want the vulnerability details:

attributes = server.call(sessionID, "class.vulnResult", "getAttributes", {})

print "Attributes for a vulnresult includes:"

print attributes

for v in vulns:

    for a in attributes:

        vulnDetails = server.call(sessionID, v, "getAttribute", {'attribute': a})

        print a+":"

        print vulnDetails

 

Now that you have some data from IP360 we can have a look at using the data in an interestingly way. There’s a variety of visualisation frameworks available for Python but for our purpose’s we’ll use Plot.ly – a free web service that lets you create graphs from your data.

Activity- Creating an Account

1. Create a free account on plot.ly (https://plot.ly/ by entering your email address, desired username and password:
2. Once registered you can get your API key via https://plot.ly/settings/api (HINT: you may need to click “Regenerate Key” to show the API key value)

Activity- Installing and Connecting to your Account

1. Logon to your Linux machine or Visual Studio and get the dependencies for running Plot.ly (if you’re using Visual Studio code you can run this in the terminal window):

sudo apt-get install imagemagick libmagickcore-dev libmagickwand-dev libmagic-dev

sudo apt-get install imagemagick

2. Install plot.ly:

sudo pip3 install plotly

pip3 install plotly –upgrade
# Used to generate random data for testing
pip3 install numpy

or, if you’re in the visual Studio Code terminal you can run pip install plotly and pip install numpy directly:

3. We can now create a test python file to verify your account. In Visual Studio code you can simply add a new .py file:
4. In the new plot.ly import the plot.ly toolset and add your credentials (don’t forget to update your username and APIkeyfield values):

import plotly

plotly.tools.set_credentials_file(username='yourusername', api_key='yourAPIkeyHere')

import plotly.plotly as py

import plotly.graph_objs as go

5. Now we can generate some test data to work with quickly using numpy:

# Create random data with numpy

import numpy as np

N = 500

random_x = np.linspace(0, 1, N)

random_y = np.random.randn(N)

6. Now we can plot this data with:

# Create a plot

trace = go.Scatter(

    x = random_x,

    y = random_y

)

data = [trace]

py.iplot(data, filename='basic-line')

7. When we run the script we can check the results out on the Plot.ly file pages: https://plot.ly/organize/home/

Now that we have both IP360 and Plot.ly configured we can combine the two to presenting the data graphically.

Activity– Combining IP360 and Plot.ly

1. Let’s start by repeating our plot.ly setup

import plotly

plotly.tools.set_credentials_file(username='yourusername', api_key='yourAPIkeyHere')

import plotly.plotly as py

import plotly.graph_objs as go

2. Then get data from IP360 and add them to a list (the xval for the x-axis, and yval for the v axis)

# Get data from IP360

print "************************************************"

xval = []

yval = []

for h in hosts:

    #Get the host IP

    hostIPaddress = server.call(sessionID, h, "getAttribute", {'attribute':'ipAddress'})

    # And it's score

    hostScore = server.call(sessionID, h, "getAttribute", {'attribute':'hostScore'})

    xval.append(hostIPaddress)

    yval.append(hostScore)

print "************************************************"

print xval

print yval

print "************************************************"

3. Finally, we can generate a graph with our data. This time we’ll create a bar chart, so the code will look like:

# Create a bar graph

data  = [go.Bar(

    x = xval,

    y = yval

)]

py.iplot(data, filename='basic-bar')

4. This will give you a new graph on the Plotly site looking something like the graph below:

Moving on

There is a lot more you can do with the data and plot.ly API – for example:

IP360 Data:

• You can pull back individual vulnerabilities, or applications from the data- a stacked bar graph showing applications on hosts, or vulnerability counts can easily be built from the foundations in the previous sections.

Presentation:

• Change the colour of the graphs: https://plot.ly/python/bar-charts/#customizing-individual-bar-colors
• Adding labels that appear when you hover over them: https://plot.ly/python/bar-charts/#bar-chart-with-hover-text
• Have a look around the plot examples: https://plot.ly/python/#3d-charts and you’ll see the wide variety of charts you can create with example code you use!

Android Development – Quick Start with PhoneGap (Part 1)

When I mention to people I write the Android app or two they’re surprised I find the time to put an app together before they dive into their most recent app idea (before conceding that it’s already be done by someone beforehand except for “one little thing” but that’s another story) and explain that they wish they could “do an app”. I usually use this moment to point out how many kids (literally high school students) have a pretty good grip on app development and although a few suggest that’s because “kids today” supposedly have a better grasp on technology (a point I’d often debate but I’ll save that story for another day) and then typically find the room going quiet (social engagement is not my top skill in fairness so I normally use this chance to escape the conversation and go see if I can make another drink last a bit longer or if there’s a dog somewhere in the house I can visit)…

Every so often this conversation goes the other way and someone asks “how”. Thanks to application frameworks it’s actually quite easy to go from idea to prototype and even a fully functional application for many so I figured I’d do a quick series on how to get started with Phone Gap. For those interested, I’m going to be using Windows 10 (although all the frameworks mentioned are multi-platform) and I’ll be using the latest versions of everything so be careful if you’ve got an older build!

So, with the preamble out of the way, let’s get Phone Gap installed (we can talk about downsides and limitations of PhoneGap based apps shortly, but for now let’s see how quick we can set up a full dev environment!).

Getting the Environment Going

1. Install Java: Download and Install Java – you can grab it directly from www.java.com (you need it for Android Studio which we’ll use largely for it’s emulator).
2. Install AS: Download and install Android Studio – https://developer.android.com/studio/index.html
   Make a note of install paths, but otherwise you can chose the defaults and launch Android Studio – once launched, you can once again accept the defaults to launch Android Studio.
3. Check you have the right components: Once it’s installed and started up, you may want to double check the emulator’s we’re planning on using were installed successfully- to do so you can run the Android SDK Manager from the Start Menu but make sure you right click and chose (in Windows 10 from the more menu) the option to “Run as an Administrator” as by default it won’t have permission to install these items.
   In the package manager make sure you’ve got the Google API’s Intel Atom System Image ticked and installed. I actually had a bit of a fight getting this installed seemingly due to a checksum error (https://stackoverflow.com/questions/47719420/sdk-platform-android-8-1-0-cant-download talks about this a bit) – the short fix for this is:
   A) Grant yourself read-write permissions to “C:\Program Files (x86)\Android\”
   B) Go to “C:\Program Files (x86)\Android\android-sdk\temp” and extract “platform-27_r01.zip” . The resulting folder with have in it a single folder entitled “android-8.1.0”.
   C) Rename the “android-8.1.0” folder to  “android-27”.
   D) Copy the “android-27” folder to the path “C:\Program Files (x86)\Android\android-sdk\platforms”.
4. Install NodeJS: Download and install NodeJS from https://nodejs.org/en/ – you can chose the LTS version (8.9.4 LTS at the time of writing) choosing the next-next-next finish default options!
5. Install PhoneGap: Grab PhoneGap from https://www.phonegap.com/getstarted/ again choosing the next-next-next finish default options!
   I’d highly recommend once this is installed adding the PhoneGap CLI – you can do so by simply launching a command prompt and entering:
   npm install -g phonegap
6. Install Cordova: We’ll also use Cordova (to link the simulator and app)- again, since we have NPM installed already you can do so by simply launching a command prompt and entering:
   npm install -g cordova

You should now have all the basics together for your development environment. Next time we’ll start putting together a quick app for us and testing it out on the emulator.

From nothing to graphs in 2 minutes straight

I’ve only just started dipping my toes back into Python again after spending a long away (version 3 is a breath of fresh air!). In recent months it’s felt as if I could hardly surf the web without hitting a wave of python examples showing you how to do something neat but looking for something simple yet rewarding to get started on wasn’t quite as simple as I hoped.

So, after a bit of messing around (my preferred method of Rapid Development: Fail Until You Don’t), I figured I’d share the steps to getting something nice out of Python that took me less than two minutes to setup. For now, we’ll just generate a pretty looking graph based on random data, but hopefully you can see how you’d easily tweak this to run against any data you have handy…

NB: For my purposes I was using the rather neat functionality of Ubuntu on Windows 10 (which is a massive time saving in comparison to my ancient practice of installing an OS on a VM every time I wanted a terminal session to work with)- if you want to follow along you can simply setup the Ubuntu shell as per Microsoft’s install guide (https://docs.microsoft.com/en-us/windows/wsl/install-win10) and once you’re at the command prompt you’re good to go:

1. Create a free account on ploty: https://plot.ly/feed/
2. Then get your API key: https://plot.ly/settings/api (you’ll need to click regenerate a visible key)
3. Logon to your Ubuntu box and get the dependencies:

sudo apt-get install imagemagick libmagickcore-dev libmagickwand-dev libmagic-dev

sudo apt-get install imagemagick

4. Install plotly:

sudo pip3 install plotly

pip3 install plotly –upgrade

# Used to generate random

pip3 install numpy

5. Launch python and test you can draw stuff:

python3

import plotly

plotly.tools.set_credentials_file(username='yourusername', api_key='yourAPIkeyHere')

import plotly.plotly as py

import plotly.graph_objs as go

# Create random data with numpy

import numpy as np

N = 500

random_x = np.linspace(0, 1, N)

random_y = np.random.randn(N)

# Create a trace

trace = go.Scatter(

    x = random_x,

    y = random_y

)

data = [trace]

py.iplot(data, filename='basic-line')

and you’ll get yourself a link to your plotly online profile and a resulting pretty graph which is surprisingly pleasing.

 

 

The Apps I still use

A long time ago I use to have a long of list of applications that’d I’d work my way through on my PC whenever I reinstalled Windows but in the past few years the frequency of me reinstalling Windows has shrunk significantly and so too has the list of app’s I install.

• Microsoft Office – Still more powerful than the rest, still a little bit buggy, but nothing seems to come close to matching the flexibility of this suite.
• VLC Player – Only video player you’ll probably need
• Chrome – Would love to embrace Edge but mobile sync is still woefully lacking and testing web content means you’ve really got to have more than one browser on your machine anyway
• NotePad++ – Powerful yet lightweight, NotePad++ replaces Notepad in the way Microsoft should’ve done years ago (at least replace WordPad!)
• Visual Studio Code – a new entry, just replacing Sublime text for being marginally more flexible for my needs.
• Windirstat – Disk space will run out – and this is the only tool that remains adware free and quick to analyse even big volumes
• Steam – I probably shouldn’t install this really as it’ll tempt me back to the store, but it’s where all the games are (in time I may end up installing GOG and Itch but Steam is typically on the need to have list).
• Jing – Helpful for making quick screen recordings. Equally, Greenshot gets a special mention for being useful for screenshots although OneDrive’s ability to autosave when I print-screen nearly replaces my number one use of Greenshot more often than not…
• Teamviewer – For remote support (of others!)

It’ll be interesting to see if another app/function ever makes it on to this list in the future as it feels like a lot of this list has remained pretty static despite countless apps trying and failing to replace the above over recent years.

Debugging Javascript with Chrome – a single screenshot starter

Based on Google’s own video, here’s a single screenshot intro to troubleshooting javascript with Chrome’s Dev tools