Monday, January 29, 2024

Laravel : Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.php,index.html) found, and server-generated directory index forbidden by Options directive, referer

 Error Message

Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.php,index.html) found, and server-generated directory index forbidden by Options directive, referer

When?

When we try to host a Laravel application in the PHP container, we have faced the above-mentioned issue while accessing the application root URL.

The reason for this error message

When we access the application URL, the root folder does not have any index.html or index.php files. The index.php file will be available in the /public subfolder folder.

That is the reason we used to get this error.

 

For security reasons, we will stop listing folder structures by using the following option: Which will prevent showing files and folders if there is no index file.

 

Options -Indexes

 

If we set the following option, the error will go off. start lighting folders and files, but the application will not work.

Options +Indexes

 

A proper fix for this error message

 

There are multiple ways we can fix this issue.

 

Method 1 Set the root folder to public (/var/www/html/public) in the httpd.conf file.

Method 2 Use the following code in the root.htaccess file

<IfModule mod_rewrite.c>

    Options +FollowSymlinks

    RewriteEngine On

                RewriteCond %{REQUEST_FILENAME} !-f

                RewriteCond %{REQUEST_FILENAME} !-d

                RewriteCond %{REQUEST_URI} !^public

                RewriteRule ^(.*)$ public/$1 [L]

</IfModule>

Monday, September 18, 2023

Four Major role or entities of GDPR

 


Data subject

A person who can be directly or indirectly recognized by an identifier, such as a name, an ID number, location information, or characteristics related to their medical, physiological, genetic, mental, economic, cultural, or social identity, is referred to as a "data subject."

In other terms, a data subject is any individual who is still alive whose personal information may be obtained and used.

Data subjects have a number of rights under the General Data Protection Regulation (GDPR), including the right to access their personal information, the right to have inaccurate information corrected, and the right to be forgotten.

Some examples of instances of data subjects are:

Staff members of the business

Supplier to the business

Clients of a physician

pupils in a school

Data controller

A person or organization that chooses the objectives and tools for processing personal data is known as a data controller. To put it another way, the data controller determines what information is gathered, how it is utilized, and how long it is kept on file.

Data controllers can be public or private organizations, and they can be large or small. Some examples of data controllers include:

·         Public institutions that gather residents' personal information

·         Healthcare organizations that gather patient information

·         Institutions that collect data about students

·         Social media sites that gather user information

 

In accordance with General Data Protection Regulation legislation, data controllers have a variety of obligations, including:

·         Getting the subject's consent before collecting and using their personal information.

·         Clearly explaining to users how their data is used

·         Providing data subject with the ability to view and manage their data

·         Taking measures to protect their data's security

Data Processors

An entity that handles personal data processing on behalf of a data controller is known as a data processor. In other words, the data processor does not control the types of data that are gathered, how they are used, or how long they are stored. The data processor merely executes the data controller's commands.

Data processors can be public or private organizations, and they can be large or small. Some examples of data processors include:

·         SaaS providers

·         Cloud computing providers

·         IT service providers

·         Marketing agencies

·         Credit card processors

·         Payment processors

Data processors have a number of responsibilities under data protection laws, such as:

·         Processing personal information only as directed by the data controller

·         Protecting the privacy and security of personal data

·         Ensuring that the rights of data subjects are upheld

·         Working cooperatively with the data controller to address inquiries from data subjects

Data protection officer

The person in charge of ensuring that an organization complies with data protection rules is known as a data protection officer (DPO). The DPO serves as an independent and neutral advisor to the management of the organization on all matters pertaining to data protection.

The DPO's responsibility is to make sure the company complies with all relevant data protection laws and rules. This comprises:

·         advising the organization on its policies and practices regarding data protection

·         the organization's data processing activities are being watched to guarantee compliance.

·         carrying out data protection impact analyses (DPIAs)

·         addressing requests from data subjects

·         collaborating with authorities in data protection


Saturday, September 16, 2023

GDPR in General


GDPR is a very important aspect for product companies who is providing a SaaS solution for EU. GDPR will provide more control to data subjects (All EU citizens) over their personal data. This will provide a more rights to data subject which includes.

·         Rights to access their personal data.

·         Rights to erase their personal data.

·         Rights to object to the processing of personal data

It provides a more guidelines for data controllers and data processors for handling personal data.

Product companies needs to have a proper understanding of data controllers responsibilities, so that they can covert those responsibilities to control through application and an top of it they have to adhere data processor rules while handing personal data.

Stop automatic security updates while the AWS EC2 instance is launching

We recently had a bad experience with automatic security updates. Our application is hosted in the AWS environment, and our instances are auto-scaled based on usage. We unexpectedly encountered a production problem, and after more investigation, we discovered that newly scaled instances were to blame. Further investigation revealed that it was caused by a security upgrade that took place just before the start of the instance. We made the decision to halt the security batch update until the code was fixed because it is a production environment.

Any user space security upgrades that are rated critical or vital are installed during the initial boot of the Amazon Linux AMI from the package repositories before services like SSH begin.

The methods we took to halt the security update at the initial boot are listed below.

Step 1: SSH to the EC2 and change the root user.

Step 2: Open the cloud.cfg file to update

                vi /etc/cloud/cloud.cfg

Step 3: Change the repo_upgrade property; by default, it will be

                repo_upgrade: security Change it to repo_upgrade: none.

Step 4: Roll back the problematic update

yum update undo <<transaction id>>

Step 5: Create an AMI using this instance.

Step 6: Update the launch template using the created AMI.

Step 6: Update the auto scalling group to use the most recent version of the launch template.

 

The following URL was helpful for us to achieve this:

https://aws.amazon.com/amazon-linux-ami/faqs/#:~:text=To%20disable%20the%20security%20update%20on%20boot%20when%20rebundling%20the,%3A%20security%20to%20repo_upgrade%3A%20none

Thursday, August 17, 2023

How to use Draw.io to make a diagram with an animating arrow

 As an architect, I drew my architecture diagrams primarily using draw.io. In this article, I'll discuss my experience using the free draw.io application to create animated arrow gif diagrams.

Step 1: Draw a diagram for whatever you need.

Step 2: Select only connectors.

Step 3: A property pane appears in the right-hand style panel once all of the connectors have been selected. Choose flow animation from the property list.


 
Following that, the diagram shows an animated arrow.

This diagram with the animated arrow cannot be downloaded. As Diagram does not allow options for direct GIF download.

The animated diagram can be obtained in a variety of indirect ways, but I'll discuss the methods I took on a Windows machine.

I captured the screen using a snipping tool and converted MP4 to GIF using cloudconvert.com.

Step 1: launch the snipping tool



Step 2: In the snipping tool, select the record option and then select new.

Step 3: Select the diagram you want to record. A few seconds snippet is enough.

Step 4: Save that screen recording in MP4 format.

Step 5: Upload that MP4 file to https://cloudconvert.com/mp4-to-gif and click convert

Step 6: Once it is converted, Download the converted file in GIF format.

 


Sunday, July 2, 2023

Why is AI such a hot topic at the moment?

These days, artificial intelligence is a hot topic. There is a definite exponential tendency in web searches and mentions about artificial intelligence. AI is not something new.

In 1956, the phrase "artificial intelligence" was first coined.

ELIZA, the first programme for natural language processing, was developed in 1966.

Invention of the Sharkey robot, the first versatile mobile robot, took place in 1972.

Invention of the WABOT-1 humanoid robot occurred in 1973.

The first computer to defeat a global chess champion occurred in 1997 when IBM Deep Blue defeated Gary Kasparov.

Year 2002: The Roomba vacuum cleaner introduced the entry of AI into the home for the first time.

AI improved significantly after 2010 and is now utilized by numerous businesses.



 

Today, AI is pervasive. Because it can effectively address complicated problems in a variety of areas, including healthcare, entertainment, banking, and education, it is becoming increasingly important for the modern world. Our daily lives are becoming faster and more comfortable as a result of AI.

Even though the concept of AI has been around for a while, the development of cloud technology has made it simpler to put into practise. Companies like Google Cloud, Amazon Web Services, Microsoft Azure, and others began to step up their research efforts to improve their algorithms for machine learning, analytics, computer vision, and tools for natural language processing. These developments have increased interest in AI. Data storage and retrieval in the cloud are now affordable. In the cloud, we have access to computing power on demand. Cloud-based machine learning techniques make it relatively simple to create predictive models. The SaaS sector has an impact on the advancement of AI technologies. Companies that offer SaaS products need to focus more on AI to expand their feature set. Some of the benefits listed below can be taken into account for product development


 

Artificial intelligence is the ability of machines to learn from experience, adapt to new inputs, and carry out jobs that humans carry out. Artificial intelligence is formed up of the phrases "artificial" and "intelligence," where "artificial" refers to something that is "man-made" and "intelligent" refers to something that has "thinking power."

The word "AI" is used to refer to all machine intelligence. We use a variety of various technologies to provide machines intelligence on par with human levels in the senses, comprehend, plan, act, and learn. Machine learning, natural language processing, computer vision, and other technologies are included in the landscape of AI in general.

 

Machine learning: Machine learning is one of the core components of AI. This can be broadly defined as a machine's ability to replicate intelligent human behavior's. To create AI behavior's, many machine learning algorithms are used. Deep learning is a subset of machine learning, which is a neural network's attempt to simulate human brain behaviour.

Natural language processing (NLP): Natural language processing (NLP) is part of artificial intelligence (AI) that enables computers to understand, produce, and manipulate human language.It makes it possible for computers and people to interact.

Computer vision: Computer vision enables machines to see, understand, and respond to their surroundings. In order to comprehend image content (graphs, tables, PDF files, and videos), this uses deep learning and pattern detection.

Speech : A variety of speech-to-text, text-to-speech, speech translation, and other conversions are done using this technique. This will make use of natural language processing techniques to allow for natural conversation with machines.

Robotic Process Automation: Automating repetitive, rule-based operations like typing, form-filling, invoice processing, etc. would be made easier with the help of this process automation. This will be accomplished via optical character recognition, machine learning, and natural language processing.

Smart Analytics: Smart analytics refers to the automated data analysis and insight discovery process that uses machine learning and artificial intelligence. Fraud detection, risk assessment and price optimisation use smart analytics.

 



 

AI systems are designed with the goal of reducing human mistake and working independently to minimize human effort. This can be done by analyzing human behavior and using the findings to create intelligent systems. For instance, they act, learn, and make decisions in specific circumstances. observing people as they complete straightforward tasks and applying the solutions to create intelligent systems.

Since AI is so popular many industries use it. AI technology will become a concern if it is not used appropriately. There are challenges to be overcome with AI, just like with any other technology.

Required high end computers: The hardware and software needed for AI are quite expensive since they need a lot of maintenance to keep up with modern demands.

Can't think out of the box: Despite the fact that artificial intelligence is enabling us to create smarter machines, these computers still cannot perform tasks that are outside their training or programming.

No feelings and emotions: Even while AI machines have the potential to function exceptionally well, they are unable to develop any sort of emotional connection with people since they lack feelings. If necessary precautions are not taken, this could occasionally be dangerous to users.

Increased dependency on machines: People are becoming increasingly dependent on technology as a result of its advancement, which is also causing them to become less mentally capable.

No Original Creativity: Because humans are so imaginative and creative, AI computers cannot match this level of human intelligence and cannot be inventive or creative.

Enterprises are increasingly depending on artificial intelligence to make important choices as it establishes deeper roots in every sphere of business. Artificial intelligence has grown everywhere, used for everything from harnessing AI-based innovation to improving customer experience and optimising profit. This transition to artificial intelligence has been made possible by the ease that small and medium-sized businesses are now able to utilise AI, ML, deep learning, and neural networks.

The coming years may also see a collaborative link between humans and machines, which will strengthen cognitive skills and talents and increase overall productivity, in contrast to prevalent misconceptions that AI will replace humans across job roles.


Monday, June 12, 2023

Why do DDoS attacks happen?

 Like just about every company, Our Company has experienced an attempted DDoS (distributed denial of service) attack on our product surface area over the past couple of years.

In the case of our company, it had no significant effect because of the strong security measures built into our system. As part of a standard application security examination, we detected this attack and “stopped” those requests at an early stage. I, as CTO, then informed the Exec Team of the incident, stating that we had received a high-level DDoS attack. It appeared that the perpetrator was from Russia (see below) and was attempting to attack our application via a German VPN, which we immediately blocked.

Too many companies try to hide or understate the severity of attempts to breach our cyber security defences but I wanted to write this post because, by sharing information on real-life examples, we can help others ensure their cyber defences are as robust as possible




Some of the questions for me were:

Why try to attack our application?What benefit is there to the attacker from attacking us?

Why did the hackers choose Our Company ?

I believe these are questions that should be asked, not just for us, but for most companies.

Initially, I had no responses to the those questions. I started investigating and believe that the following could be some of the causes:

1. Activism through hacking

2. Political motivation

3. Retaliation

4. Negative brand image

5. For pleasure or learning

In our situation, I believe it was purely for pleasure, and the popularity of our product may be one reason for the attention..

The following are the various types of DDoS assaults.

1. Application Layer Attack/Layer 7 Attack: The hacker utilises several bots or services to submit a http or https request to the application frequently. The most frequent type of assault is an HTTP “flood attack”, in which the attacker uses a bot to send HTTP GET or POST requests to the server from a different IP address. This attack is tough to counter since the application attacker changes his identity and IP address.

2. Protocol attack / Layer 3 or Layer 4 attack: Protocol-based attacks are primarily concerned with exploiting a flaw in the OSI Layer 3 or Layer 4 layers. TCP Syn Flood is the most popular protocol-based DDoS assault, in which a series of TCP SYN queries directed at a target can overwhelm and render it unavailable.

3. Volumetric Attack: These types of attacks try to cause congestion by absorbing all available bandwidth between the target and the entire Internet. Large amounts of data are transmitted to a destination via amplification or another method of creating massive traffic, such as botnet requests.

In our scenario, we were targeted at the application layer.

To prevent these type of attacks, My Digital have developed numerous preventative approaches. The following are some of the ways for preventing DDoS attacks:

1. Create an effective monitoring system Continuous monitoring is the method in which an organisation continuously monitors its applications, IT systems, and networks in order to detect security threats, performance difficulties, or non-compliance concerns in an automated manner. The goal is to detect potential problems and threats in real time and solve them as soon as possible.

2. Identify problems early in the development process Follow the OWASP TOP 10 best practices when writing code and perform static and dynamic code analysis to detect any early vulnerabilities. To secure applications, employ open-source code vulnerability tools to detect any open-source library vulnerabilities.

3. Create a strong internal and external security network. Avoid exposing unnecessary ports and IP addresses. To prevent malicious activities, use a good network firewall, intrusion detection tools, and endpoint security. Use a web application firewall at the application level.

4. Use your cloud providers best practices All cloud providers offer best practices and tools to safeguard the environment and applications. To avoid an attack, follow their best practices.

Build redundancy and practical back up procedures on top of all of this to eliminate single points of failure