MarkWhen

It's not often that I come across a new toy and has pretty much all the features I want present and accounted for with no need for some extra hacking. MarkWhen [GH], by self-described "technologist" Rob Koch, ticks all the boxes for me when it comes to producing a functional timeline of events without the need to click in a GUI.

The section header image is a timeline of the LAPSUS$ breach (earlier this year) of Okta. You can see it in action (and interact with it) over at MarkWhen.

Incident response folk often have to keep a log of events and eventually produce a timeline to provide to management and/or victim. Someone leaked the Okta timeline on Twitter (I have feels about the ethics of that, which I won't go into here, but there’s a reason I’m not giving them clicks and 👀). Other professions have different timeline needs, but at some point you will likely need or want to make a timeline, and I suspect you'll like the MapWhen experience.

Rob abused Markdown to come up with an easy way to specify what you want. Here's the first part of the Okta timeline Markdown (the rest is available at the link, above):

title: Okta Breach Timeline

#InitialCompromise: #4e79a7
#EscalatePrivileges: #f28e2b
#MaintainPresence: #e15759
#MoveLaterally: #76b7b2
#InternalRecon: #59a14f
#EstablishFoothold: #edc948
#CompleteMission: #b07aa1

2022-01-16T00:33:23Z-2022-01-19T19:19:47Z:First logon event from [SYSTEM NAME REDACTED]. Logon to [SYSTEM NAME REDACTED] from [SYSTEM NAME REDACTED] (10.112.137.64)
#InitialCompromise

It is somewhat self-documenting, and the GitHub README does a fine job 'splainin the syntax, so I'll treat you like the clever reader you are and avoid expository on that front.

MarkWhen supports adding images, incorporating location data, grouping timeline steps together, saving created timelines locally (PDF/PNG), and sharing timelines (but you know that, too, as I linked to mine above).

Rob also does one thing that I truly hope catches on. I'll let him explain it:

This repository is downstream of the main repository that the live website uses. The main, upstream repository is available to sponsors and is ~100 commits (4-6 weeks) ahead of this repository.

Issues opened in this repo can either be bugs with this repository or the live website. Please continue to open issues! They are the largest factor for determining what to work on next.

Some features in the upstream repo not yet in this repo:

• Views (map & doc)

• Importing and exporting markwhen files

• Better mobile experience

• Style changes

• Causal dates and times (months via words like January or Dec; times like 8:30am)

You do not have to be a sponsor to use these features - they are all already on markwhen.com! However, if you want prioritized bugs or want a fork that is more up to date then you can sponsor my work, and there would be much rejoicing on my part.

And even if you don't want your own more up-to-date fork but you use markwhen.com for work, please consider having your work be a sponsor!

You can use the finished/current product for free, clone a repo that is only (in the grand scheme) slightly out of date with the production version, and you have an opportunity to show the value of Rob's work by sponsoring if you want access to the main repository. Now, $100 USD/month is a tad steep if you're an individual, but there's nothing stopping you from hacking on the complete version to make your own changes (note the AGPL license, tho).

Making good software takes time. It's one reason I try to support indie macOS developers by buying their software. As we’ve seen over recent years, lack of corporate support for open-source software — especially for ubiquitous components such as `log4j` — is more problematic than one might have imagined.

I have less need of this tool than I did in my previous gig, but I suspect this won't be the last time I use this tool. If I end up using MarkWhen more than I believe I will be, I’ll gladly drop $60/year to ensure it continues to be available and maintained.

Share

netop

A Rust-based responsive TUI (terminal user interface) for monitoring network traffic based on Berkeley Packet Filter (BPF) syntax rules, you say?

Count me in!

At the end of May, GitHub user ZingerLittleBee launched netop into the wild, and we are all better humans for said event.

The banner image shows a capture of port 443 (generally HTTPS traffic) from this morning as I tidied up this post. It's pretty straightforward to get this running. Clone the repo. Hit up cargo build, and then use sudo to execute the binary (as it rightfully needs permissions to snoop on you). Press e to input one or more bpf rules, and use the ← or ⇾ to switch between different rules. The repo has more build help for those on lesser platforms.

The app is based on another crate from the same GH user which houses the network statistics capturing componetns, and two excellent crates used in many (many) Rust TUI apps: crossterm and tui.

If you've been itching to get into either accessing live network data with Rust or wanted a decent example of a TUI app to use as a model for your own, def give netop a go. If bpf rules seem like arcane magic incantations, drop me a public note in the comments or a private note elsewhere and I’ll take a future newsletter section to dive into them a bit.

Leave a comment

The Connected Abode: Part 1

I warned you, yesterday, that I'd be dropping some home automation info on you over the coming newsletters (likely not in each one, though).

Before I do that, we need to get y'all grounded in some terminology, so I kinda need you to read this glossary of terms (from the Thread folks, but it includes way more than just Thread), and I think this Forbes article (apologies for a link to a Forbes article, but this one isn’t bad) will also help ground you for the coming discussions of arcanely named terminology.

Share

FIN

🚨 PSA: If you own and use one of these routers, please buy a new one from a far more reputable vendor than Cisco (the Cisco product folks kind of obviously care little for your safety) and recycle your old one. ☮