references

Remember: If you’re not paying for it, you’re the product.
and “Things can be different…”

“However the future unfolds, it’s not something to be predicted, like the passage of a comet. It’s something we build.” by Robert Kunzig - behind a National Geographic paywall
“What matters most, is what people, human people, we, do. not what other people do…” Timothy Holborn
“The fact that there are pressures and costs does not absolve people of their moral responsibility. The primary custodian of one’s actions is oneself.” Noam Chomsky Tue, 3 Apr 2018 - quoted by Timothy Holborn
“A lie is a fiction made up to take away someone else’s power.” Elizabeth Mitchell, Guernica Magazine. Essay/Lit World/Politics, January 15, 2021
Core Values Matter: Guiding principles shape our lives – don’t drift, choose your priorities

This is a collection of reusable references. Hosted at: https://mccright.github.io/references/

Putin’s war:

Don’t ignore it. See: Wikipedia: Russo-Ukrainian War. And resist/confront Trump 47’s shameful early efforts to strengthen ties with Putin by making material concessions before any negotiations about ending Putin’s war with Ukraine.

Trump’s Indictments:

Don’t ignore them. See: Wikipedia: Indictments against Donald Trump. Update March 2025: The combination of Trump’s election to the U.S. Presidency and his “total immunity” gift from the U.S. Supreme Court any judicial activity on this front seems unlikely and he will be free from all pending criminal prosecutions. Adults can still acknowledge his 34 felony convictions and consider Trump’s past and ongoing behaviors in the context of more than 200 years of executive branch norms and his activities to disassemble/eliminate administrative and security functions across the Federal government, along with his ignoring Court orders – his likely criminality is an extreme outlier. Ugg…

Back to the References

Try the genuine ChatGPT here: https://chat.openai.com/chat (there are look-alike scams). It is impressive technology. When used with sensitivity and care it can materially enhance productivity in many roles. ChatGPT can be unavailable during peak hours.
Flex your perceptions and imagination with the Astronomy Photo of the Day https://apod.nasa.gov/apod/astropix.html (if you have just a minute right now, I recommend this Euclid photo of the Perseus Galaxy Cluster having a 1000+ galaxies in the foreground about 250 million light years away plus more than 100,000 galaxies in the background, and review an explanation of what you are looking at) or see what is new from the James Webb Space Telescope https://webbtelescope.org/news/news-releases [or their Flicker collection] or read at length from NASA’s ebook collection https://www.nasa.gov/connect/ebooks/index.html or explore the Apollo Lunar Surface Journal [high-tech from a different age] https://www.hq.nasa.gov/alsj/main.html
Flex your perceptions and imagination with a real-time visualization of global marine shipping https://www.marinetraffic.com/en/ais/home/centerx:80.5/centery:8.7/zoom:3
Here is the “NASA JPL Asteroid Watch –> The Next Five Asteroid Approaches” https://www.jpl.nasa.gov/asteroid-watch/next-five-approaches to help fuel your “it’s always something…” catastrophe habit
Begin [or continue] to work individually and collectively to slow climate change. Little of what we do is relevant in a world destablized by climate change.
- We need to act on many, many fronts, but there are some offenders that deserve special attention. For example, please Treat Big Oil and Big Ag Like Big Tobacco
- I have begun to accumulate links to some of my climate reading (and planned reading) in another repository https://github.com/mccright/rand-notes/blob/master/Climate-Resources.md
- As an easy-to-understand illustration of climate change see the USDA Plant Hardiness Zone Map. Look at these maps from previous decades to see warmer winters creep north.
Find something new/different to read with Libby, the library reading app, you can use to borrow ebooks, audiobooks, magazines, and more from your local library for free. Libby is the newer library reading app by OverDrive. See: https://www.overdrive.com/apps/libby or take a more commercial route through https://books.google.com/
Explore these falsehoods (too many) programmers believe in (which too often produce errors at runtime) – Awesome Falsehood https://github.com/kdeldycke/awesome-falsehood
Or, if you are needing a break from your normal grind, join others doing people-powered research https://www.zooniverse.org/projects?page=1&status=live
Writing well is difficult. The Strunkifier may help [think ‘Strunk and White’ from school written in PHP with a web front end]http://vinoisnotouzo.com/strunkifier/ and the source at https://github.com/BSVino/Strunkifier/blob/master/strunkify.php
Remember the Ten simple rules for making research software more robust https://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1005412
If you work in a corporate environment, ensure it is supporting open source:
- “Why have an open source program office?.” RedHat Brief, Last Updated: 4 February 2021 https://www.redhat.com/en/resources/open-source-program-office-brief
- “What does an open source program office do?” By Brian Proffitt, 19 December 2019 https://www.redhat.com/en/blog/what-does-open-source-program-office-do
- “Creating an Open Source Program.” By Chris Aniszczyk, COO, Cloud Native Computing Foundation; Jeff McAffer, Director, Open Source Programs Office, Microsoft; Will Norris, Open Source Office Manager, Google; and Andrew Spyker, Container Cloud Manager, Netflix. https://www.linuxfoundation.org/tools/creating-an-open-source-program/
- “Open source best practices for the enterprise.” (A collection of 12 best practices guides for running an open source program office or starting an open source project in your organization. Developed by The Linux Foundation in partnership with the TODO Group, these resources represent the experience of our [Linux Foundation] staff, projects, and members.) https://www.linuxfoundation.org/resources/open-source-guides/
- “A guide to setting up your Open Source Program Office (OSPO) for success – Learn how to best grow and maintain your open source communities and allies.” By J. Manrique Lopez de la Fuente, 08 May 2020 https://opensource.com/article/20/5/open-source-program-office
- “Software Licenses in Plain English – Lookup popular software licenses summarized at-a-glance.” https://tldrlegal.com/
Finally, pay attention to where you invest your attention. A recent essay by Ezra Klein exploring how technology choices influence how/what we learn and behave is worth a careful read: https://www.nytimes.com/2022/08/07/opinion/media-message-twitter-instagram.html.

A recent study linked higher levels of phubbing to [partner] dissatisfaction, and a 2022 study found it can lead to feelings of distrust and ostracism. One study found that those who phub a lot are more likely to be phubbed themselves, creating a kind of ripple effect. https://www.nytimes.com/2023/07/27/well/family/phubbing-phone-snubbing-relationship.html
The time changed again… See how NIST explains daylight saving time

Cheat Sheets

First and foremost: a couple git cheat sheets

https://training.github.com/downloads/github-git-cheat-sheet.pdf
and TimGreen’s list of git & github features – with a table of resources and books at the bottom: https://github.com/tiimgreen/github-cheat-sheet maybe also
Michael Gieson’s git cheat cheet https://www.gieson.com/Library/cheatsheets/md.html?git
“The simple guide” http://rogerdudler.github.io/git-guide/ and
https://github.com/vineetpandey/github-cheat-sheet and page 2 of
http://www.git-tower.com/blog/git-cheat-sheet/ and documenation at http://git-scm.com/docs
Git Pocket Guide. By Richard E. Silverman https://www.oreilly.com/library/view/git-pocket-guide/9781449327507/
Monorepos can hide a lot of different problems. git-sizer can help. git-sizer computes various size metrics for a local Git repository, flagging those that might cause you problems or inconvenience.
Finally, git repos may contain sensitive files and the scale of their history can slow pipeline activities. In some use cases git-filter-repo can help.

Just get started…
git remote -v (view the full addresses of your configured remotes)
cd into your new project directory
git init (builds a .git directory that contains all the metadata and repository history)
git add . (instructs Git to begin tracking all files within and beneath the current directory)
git commit –m’This is the first commit’ (creates the permanent history of all files, with the -m option supplying a message alongside the history marker)

or install Joel Parker Henderson’s GitAlias and do the same more efficiently.

Rename your old github repo ‘master’ branch to ‘main’…

git branch -m master main
git fetch origin
git branch -u origin/main main
git remote set-head origin -a

Tell Me About

A github profile summary: https://profile-summary-for-github.com/user/githubUserName/ Thank you tipsy

Awesome-Awesome

A curated list of awesome lists: https://github.com/sindresorhus/awesome
A collection of awesome lists for hackers, pentesters & security researchers https://github.com/Hack-with-Github/Awesome-Hacking
A curated list of Terminal frameworks, plugins & resources for CLI lovers https://github.com/k4m4/terminals-are-sexy
Awesome TUIs – List of projects that provide terminal user interfaces https://github.com/rothgar/awesome-tuis

Browse

Sears catalog of Linux software – Awesome Linux Software https://github.com/luongvo209/Awesome-Linux-Software

and if you need a little Linux help using it https://gto76.github.io/linux-cheatsheet/ and https://github.com/gto76/linux-cheatsheet

Manage Your Privacy

Daniel Roesler’s excellent Privacy Checklist: https://github.com/diafygi/privacy-checklist
W3C Data Privacy Vocabularies and Controls CG (DPVCG) https://www.w3.org/community/dpvcg/
11 tips for protecting your privacy… by Olivia Martin https://freedom.press/training/blog/11-tips-protecting-your-privacy-and-digital-security-age-trump/
Your IP address is sometimes your identity https://myexternalip.com/

Software Vulnerability Detection Resources

Is the target already beyond its end of life / End-of-life (EOL/EoL)? https://endoflife.date/ or https://github.com/endoflife-date/endoflife.date
DevSecOps tool lists https://github.com/hahwul/DevSecOps
U.S. National Checklist Program http://checklists.nist.gov and https://web.nvd.nist.gov/view/ncp/repository
Security Content Automation Protocol (SCAP)
- Nist Overview: http://csrc.nist.gov/groups/SMA/forum/documents/august2015/forum-august2015-booth.pdf
- SCAP Home: http://scap.nist.gov/
State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation https://apps.dtic.mil/sti/pdfs/AD1106086.pdf
State-of-the-Art Resources (SOAR) for Software Assurance http://people.cs.ksu.edu/~hatcliff/890-High-Assurance/Reading/IATAC-SOAR-Software-Security-Assurance.pdf
Common Vulnerability Scoring System (CVSS) http://cve.mitre.org/ and https://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
Vulnerability and exploit lists:
o https://www.cisa.gov/known-exploited-vulnerabilities-catalog
o http://cve.mitre.org/
o http://www.cvedetails.com/
o http://w.0day.today/
o http://www.securityfocus.com/bid/
o https://www.exploit-db.com/
o https://nvd.nist.gov/
o https://github.com/vulsio (json files)
Library for interacting with Synack API https://github.com/abdilahrf/synackAPI
CyberSecurityMalaysia, 3rd Party Information Security Assessment Guideline https://www.cybersecurity.my/data/content_files/11/650.pdf
Fortify Taxonomy of Secure Software Errors. https://vulncat.fortify.com/en
Or host your own list to keep your research more private:
o A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. https://github.com/nexB/vulnerablecode
o Vulnerabilities and Attacks https://github.com/hannob/vulns
o The CVE-Search Project https://www.cve-search.org/software/, and cve-search - a tool to perform local searches for known vulnerabilities https://github.com/cve-search/cve-search
Scripts to help run Fortify – and other code assessment tools – in your Amazon cloud https://github.com/awslabs/one-line-scan/
There are situations where you may be given a repository without any accompanying information… What is in the repo?? crazymax assembled a Docker image – crazymax/docker-linguist – that runs GitHub Linguist, a library used on GitHub.com to detect blob languages. You can use is to easily, quickly and reasonable accurately identify what languages are used in a given local repository. Here are some examples of it in use: https://github.com/mccright/FortifyStuff/blob/master/Developer-Access-to-Static-Analysis-Data.md#what-languages-are-in-a-given-target-repository
Vulns: Vulnerability scanner for Linux/FreeBSD, agent-less, written in Go. https://github.com/future-architect/vuls
This is tool to build a local copy of the CPE (Common Platform Enumeration) https://github.com/vulsio/go-cpe-dictionary
boofuzz: Network Protocol Fuzzing for Humans (Boofuzz is a fork of and the successor to the venerable Sulley fuzzing framework.) https://github.com/jtpereyda/boofuzz

Architecture Risk Analysis

BSIMM Definitions of Architecture Risk Analysis - Builds an ARA definition by describing a set of increasingly mature risk analysis practices: https://www.bsimm.com/framework/software-security-development-lifecycle/architecture-analysis/
U.S. CERT Definition & Best Practices Document on Architecture Risk Analysis: https://www.us-cert.gov/bsi/articles/best-practices/architectural-risk-analysis/architectural-risk-analysis
Lecture 28: Threat Modeling, or Architectural Risk Analysis - Coursera-hosted lecture on this topic by Michael Hicks, University of Maryland, College Park: https://www.coursera.org/learn/software-security/lecture/bQAoU/threat-modeling-or-architectural-risk-analysis
“A Non-Trivial Task of Introducing Architecture Risk Analysis into Software Development Process.” OWASP EU presentation by Denis Pilipchuk, Global Product Security, Oracle: http://2014.appsec.eu/wp-content/uploads/2014/07/Denis.Pilipchuk-A-non-trivial-task-of-Introducing-Architecture-Risk-Analysis-into-the-Software-Development-Process.pdf
Mitre Att&ck Enterprise threat list https://mitre.github.io/attack-navigator/enterprise/
“ATT&CK® is a catalog of techniques and tactics that describe post-compromise adversary behavior on typical enterprise IT environments. The core use cases involve using the catalog to analyze, triage, compare, describe, relate, and share post-compromise adversary behavior.”
Mitre D3FEND™ technical knowledge base of defensive countermeasures for common offensive techniques that is complementary to MITRE’s ATT&CK, a knowledge base of cyber adversary behavior. D3FEND complements Mitre Att&ck by establishing a terminology of computer network defensive techniques and illuminating previously-unspecified relationships between defensive and offensive methods. https://d3fend.mitre.org/
Related works:
- MITRE ATT&CK® Matrix for Enterprise – with specialized versions for the following platforms: Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network, Containers https://attack.mitre.org/matrices/enterprise/
- MITRE ATT&CK® Matrix for Mobile – with specialized versions for the following platforms: Android and iOS https://attack.mitre.org/matrices/mobile/
- NIST 800-53 Controls to ATT&CK Mappings https://ctid.mitre-engenuity.org/our-work/nist-800-53-control-mappings/
- Mitre ATT&CK® for Industrial Control Systems threat list https://collaborate.mitre.org/attackics/index.php/Main_Page “ATT&CK for ICS is a knowledge base useful for describing the actions an adversary may take while operating within an ICS network. The knowledge base can be used to better characterize and describe post-compromise adversary behavior.”
- MITRE ATT&CK® and CAPEC™ datasets expressed in STIX 2.0 https://github.com/mitre/cti
- Github organization for MITRE ATT&CK https://github.com/mitre-attack
- Atomic Red Team™ is a library of tests mapped to the MITRE ATT&CK® framework. Its mission is to help security teams quickly, portably, and reproducibly test their environments https://github.com/redcanaryco/atomic-red-team
- infosecn1nja’s Awesome Mitre ATT&CK™ Framework https://github.com/infosecn1nja/awesome-mitre-attack
The Common Attack Pattern Enumeration and Classification dictionary and classification taxonomy (CAPEC):
Understanding how the adversary operates is essential to effective cyber security. CAPEC™ helps by providing a comprehensive dictionary of known patterns of attacks employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. It can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses.
- Focuses on application security
- Enumerates exploits against vulnerable systems
- Includes social engineering / supply chain
- Associated with Common Weakness Enumeration (CWE)
  http://capec.mitre.org/data/
Example Attack Taxonomy from CAPEC http://capec.mitre.org/data/definitions/2000.html
“The Universal Cloud Threat Model” https://securosis.com/research/papers/the-universal-cloud-threat-model-for-cloud-native-security/?utm_source=tldrinfosec
“The STRIDE Threat Model.” http://msdn.microsoft.com/en-US/library/ee823878(v=cs.20).aspx
“Improving Web Application Security: Chapter 3, Threat Modeling – Threats and Countermeasures.” http://msdn.microsoft.com/en-us/library/ff648644.aspx (In depth review of STRIDE and DREAD.)
NIST’s SP 800-160 Vol. 1 Rev. 1 (2022) “Engineering Trustworthy Secure Systems.” With special attention to the 30 security principles in “Appendix E. Principles for Trustworthy Secure Design.” https://csrc.nist.gov/publications/detail/sp/800-160/vol-1-rev-1/final
“How To: Create a Threat Model for a Web Application at Design Time.” http://msdn.microsoft.com/en-us/library/ms978527.aspx
“Walkthrough: Creating a Threat Model for a Web Application.” http://msdn.microsoft.com/en-us/library/ms978538.aspx
“Application Threat Modeling (OWASP)” https://www.owasp.org/index.php/Application_Threat_Modeling
“Threat Modeling Cheat Sheet (OWASP)” https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Threat_Modeling_Cheat_Sheet.md
“OWASP Risk Rating Methodology” https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
“A Complete Guide to the Common Vulnerability Scoring System Version 3.1” https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf
The System Design Primer https://github.com/donnemartin/system-design-primer
Use Cases and Requirements on HTTPS-enabled Local Network Servers https://httpslocal.github.io/usecases/, https://www.w3.org/community/httpslocal/ and https://github.com/httpslocal/proposals/tree/master
I have no direct association with Tesla or Tesla engineering efforts, but based on my reading of general news and narrow analysis of descriptions of Tesla’s auto-driving and its AI it seems like a material failure of their Architecture Risk Analysis practices. See: “Tesla Self-Driving Deaths.” The linked map indicates registered deaths associated with Tesla’s self-driving software since 2016 in the United States. The information contains fatalities recorded by NHTSA’s Standing General Order on Crash Reporting for Level 2 ADAS-equipped vehicles since its inception in June 2021, and confirmed self-driving deaths pre-dating NHTSA’s database of crash statistics: https://dawnproject.com/nhtsa-map-1/. If crash and death numbers are not convincing, you might look at some videos by The Dawn Project of Tesla’s Full Self-Driving AI: https://vimeo.com/988491613/fcfcdf7190 (Blow past stopped school buses), https://vimeo.com/942153183/9b3848b364 (Run down children crossing the road) or https://vimeo.com/843429267/bc871414fd (Blow through stop signs).

Web Application Vulnerability Analysis and Pen Testing

The Secure ur Ass By Learning Cybersecurity repository SUASS. It describes itself as “a comprehensive resource for cybersecurity professionals, students, beginners, and anyone interested in the field of cybersecurity. Here, you’ll find a wide range of cybersecurity study materials to help you enhance your knowledge and skills.” https://github.com/GTekSD/SUASS
List of awesome penetration testing resources, tools and other shiny things https://github.com/enaqx/awesome-pentest
Awesome collection of hacking tools https://github.com/jekil/awesome-hacking
Tooling is great, but understanding how software systems fail is a critical capability as well. See “Be Suspicious of Success, Successful software is buggy software” for some input about what to think about when “testing.”
Kitsec, a toolkit CLI to help simplify and centralize your risk eval. workflow https://github.com/kitsec-labs/kitsec-core
Osmedeus - a Workflow Engine for Offensive Security. It was designed to build a foundation with the capability and flexibility that allows you to build your own reconnaissance system and run it on a large number of targets. https://github.com/j3ssie/osmedeus
Mantis - command-line framework designed to automate the workflow of asset discovery, reconnaissance, and scanning https://github.com/PhonePe/mantis
“All in One Hacking tool For Hackers” https://github.com/Z4nzu/hackingtool
Arsenal - an inventory, reminder and launcher to simplify the use of all the hard-to-remember pentest commands https://github.com/Orange-Cyberdefense/arsenal
Red Teaming Toolkit https://github.com/infosecn1nja/Red-Teaming-Toolkit
Red Team Scripts https://github.com/infosecn1nja/red-team-scripts
bugcrowd / methodology-taxonomy https://github.com/bugcrowd/methodology-taxonomy
Bugcrowd Vulnerability Rating Taxonomy (VRT) https://bugcrowd.com/vulnerability-rating-taxonomy and https://github.com/bugcrowd/vulnerability-rating-taxonomy
“A collection of tools used by Web hackers” https://github.com/hahwul/WebHackersWeapons
six2dez pentest-book https://pentestbook.six2dez.com/ and the source at https://github.com/six2dez/pentest-book
If you are creative and persistent, you will accumulate valuable passwords and tokens. Keep them safe from abuse. Assuming that need support for Linux, Windows, or Mac, you might consider using KeePassXC on an encrypted+password protected USB drive. See the recent code review report by Zaur Molotnikov to help evaluate the risks.
Sometimes you will need to share secrets. https://scrt.link/ with a link that only works one time and then self-destructs. It is imperfect, but likely good-enough for many use cases.
Penetration Testing Checklist https://github.com/infinite-omicron/pentesting-checklist and its companion Pentesting Guide https://github.com/infinite-omicron/pentesting-guide/
Automated NoSQL database enumeration and web application exploitation tool https://github.com/codingo/NoSQLMap
An eccentric collection of links to pen testing resources https://github.com/blaCCkHatHacEEkr/PENTESTING-BIBLE
The Open Penetration Testing Bookmarks Collection https://github.com/Oweoqi/pentest-bookmarks/blob/master/BookmarksList.md
Collection of pentest resources https://github.com/1N3/
Active Directory Attack Cheat Sheet https://medium.com/@dw3113r/active-directory-attack-cheat-sheet-ea9e9744028d or formatted better at https://dw3113r.com/2022/07/20/active-directory-attack-cheat-sheet/
Active Directory Cheatsheet: https://github.com/OriolOriolOriol/Active-Directory-Cheat-Sheet
Active Directory Kill Chain Attack & Defense https://github.com/infosecn1nja/AD-Attack-Defense
OWASP Web Application Security Testing Cheatsheet https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
ngrok: ngrok is a globally distributed reverse proxy fronting your web services running on a given endpoint, or in any cloud or private network. Paid ngrok has additional features that support its promotion as “the programmable network edge that adds connectivity, security, and observability to your apps with no code changes.” Pay attention to the details of every request. The free version may not be suitable for your business, your local environment, or your regulators/investors/customers. https://ngrok.com
Weird Proxies: a cheat sheet about behaviour of various reverse proxies, cache proxies, load balancers, etc. https://github.com/GrrrDog/weird_proxies
Fetch a list of currently-working proxies https://github.com/stamparm/fetch-some-proxies
Collection of security tool cheat sheets https://github.com/gnebbia/cheatsheets/tree/master/sectool
OWASP based Web Application Security Testing Checklist as an Excel Workbook https://github.com/tanprathan/OWASP-Testing-Checklist
Web Application Security Guide/Checklist. https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Checklist
Awesome WAF https://github.com/0xInfection/Awesome-WAF
identYwaf is a WAF protection type identification tool using loud techniques https://github.com/stamparm/identYwaf
Open Source Security Testing Methodology Manual (OSSTMM) http://www.isecom.org/research/osstmm.html
Session Hijacking Cheat Sheet http://resources.infosecinstitute.com/session-hijacking-cheat-sheet/
SecLists is the security tester’s companion. It is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more. https://github.com/danielmiessler/SecLists
Pen testing payloads with supporting resources (this could/should be named ‘awsome-payloads’!) https://github.com/swisskyrepo/PayloadsAllTheThings and, easier to navigate https://swisskyrepo.github.io/PayloadsAllTheThings/
Penetration Testers Framework (PTF) https://github.com/trustedsec/ptf
Social-Engineer Toolkit (SET) https://github.com/trustedsec/social-engineer-toolkit
A Python based web application scanner - BlackWidow - with Docker help https://github.com/1N3/BlackWidow
Sn1per - Automated pentest framework for offensive security experts https://github.com/1N3/Sn1per
Arachni Web Application Security Scanner Framework {Ruby centric} http://www.arachni-scanner.com/
Sn1per is an automated scanner {php} to enumerate and scan for vulnerabilities https://github.com/1N3/Sn1per
WhatWeb - Next generation web scanner https://github.com/urbanadventurer/WhatWeb
Cloudflare’s in-house lightweight network vulnerability scanner https://blog.cloudflare.com/introducing-flan-scan/ and https://github.com/cloudflare/flan
OWASP-Nettacker - Automated Penetration Testing Framework https://github.com/zdresearch/OWASP-Nettacker
Jaeles - An extensible framework written in Go for building your own Web Application Scanner. https://github.com/jaeles-project/jaeles
Some starter scripts to (help) set up a clean Windows 10 endpoint: https://github.com/Hecsall/clean-windows
windows-privesc-check - Security Auditing Tool For Windows https://code.google.com/archive/p/windows-privesc-check/source/default/source and https://github.com/1N3/PrivEsc/blob/master/windows/windows-privesc-check/windows-privesc-check.py
http://securitywing.com/63-web-application-security-checklist-auditors-developers/ (very high level)
Website fingerprint script https://github.com/bgiarrizzo/website-fingerprint
Awesome Mainframe Hacking/Pentesting Resources.https://github.com/samanL33T/Awesome-Mainframe-Hacking/
Excellent list of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc. https://github.com/toniblyx/my-arsenal-of-aws-security-tools
Audit and secure your AWS environment(s): YATAS “is a simple and easy to use tool to audit your infrastructure for misconfiguration or potential security issues.” …“The goal of YATAS is to help you create a secure AWS environment without too much hassle.” https://github.com/padok-team/yatas and https://www.primates.dev/aws-security-misconfiguration-audit-in-30-seconds/
AWS is a gigantic ecosystem. There may be opportunities that you are not yet aware of: https://github.com/donnemartin/awesome-aws
CloudGoat, Rhino Security Labs’ “Vulnerable by Design” AWS deployment tool. https://github.com/RhinoSecurityLabs/cloudgoat
Offensive security testing of your AWS environment https://github.com/RhinoSecurityLabs/pacu
Offensive security testing of your CMS - CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 170 other CMSs https://github.com/Tuhinshubhra/CMSeeK
Tool-X - a kali linux tool installer for Android Termux https://github.com/rajkumardusad/Tool-X
An interesting study script intended to automate your reconnaissance work https://github.com/0blio/lazyrecon
Abbreviated vulnerability assessment/recon https://github.com/jivoi/pentest
‘domain-scan’ A lightweight scan pipeline for orchestrating third party tools, at scale and (optionally) using serverless infrastructure https://github.com/18F/domain-scan
Offensive Web Testing Framework (OWTF), is a framework https://github.com/owtf/owtf
Offensive Web Application Penetration Testing Framework https://github.com/0xInfection/TIDoS-Framework
Metabigor - An Intelligence tool to do OSINT tasks and more but without any API keys. https://github.com/j3ssie/metabigor
ReconFTW automates some reconnaisance activities. https://github.com/six2dez/reconftw
Reconnoitre: A reconnaissance tool made for the OSCP labs to automate information gathering and service enumeration whilst creating a directory structure to store results, findings and exploits used for each host, recommended commands to execute and directory structures for storing loot and flags. https://github.com/codingo/Reconnoitre
Jenkins Pentesting https://github.com/gquere/pwn_jenkins
Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit https://github.com/0xInfection/XSRFProbe
Cross Site Scripting detection suite https://github.com/s0md3v/XSStrike
Web Application Firewall Fingerprinting Tool https://github.com/EnableSecurity/wafw00f
Know your network – The Ultimate PCAP https://weberblog.net/the-ultimate-pcap/
BurpSuite
OWASP Zap
HUNT Suite is a collection of Burp Suite Pro/Free and OWASP ZAP extensions https://github.com/bugcrowd/HUNT
Deploy a private Burp Collaborator Server in Azure. By Javier Olmedo, Jun 17, 2019 https://medium.com/bugbountywriteup/deploy-a-private-burp-collaborator-server-in-azure-f0d932ae1d70
and Chrome’s internal URLs for problem solving chrome://chrome-urls/
DNS research https://github.com/ogham/dog
- Some domains might be outside your intended target list? See the official, full list of registered domains in the .gov zone. The US Government’s executive, legislative, and judicial branches are represented, as are US-based state, territory, tribal, city, and county governments: https://github.com/cisagov/dotgov-data
- There may be some additional useful information you might extract from the target’s DNS records – see “You’re Closer Than You Think: The Only 6 DNS Concepts You Really Need.” that includes a “complete list of DNS Functionality and Descriptions” that might help you think it through.
HTTPie, a user-friendly command-line HTTP client for the API era https://httpie.io/
nmap tutorial https://github.com/gnebbia/nmap_tutorial
Using custom nmap port sets https://bsago.me/tech-notes/custom-nmap-port-sets
Scanners Box [also known as scanbox] is a sizable, categorized collection of scanners from across GitHub.com https://github.com/We5ter/Scanners-Box
Very simple Python-based recon https://github.com/naltun/eyes.py
Damn Small JS Scanner (DSJS) is a JavaScript library vulnerability scanner https://github.com/stamparm/DSJS
What might those PDF files be hiding? Here are some tools that can help you automate the answer(s):
- PyPDF
- PyPDF2
- PyMuPDF
- pdfminer.six
- pdfminer
- pdfplumber
- camelot-py
- tabula-py
Awk/gawk manual https://www.gnu.org/software/gawk/manual/gawk.pdf
Airbus security lab publications https://airbus-seclab.github.io/ and their tools at https://github.com/airbus-seclab/
Run your own VPN(s) https://github.com/trailofbits/algo
“8 Best VPNs in 2021: Tested All Apps, Speed, Security & More.” by Chase Williams September 01, 2021 https://www.wizcase.com/vpn-reviews/
Email address parser from website list https://github.com/skeitel/Python-Programs-and-Exercises-by-Javier-Marti/blob/master/email_parser_from_website_list.py
Detect secrets within a code base https://github.com/Yelp/detect-secrets
git-secrets – Prevents you from committing passwords and other sensitive information to a git repository https://github.com/awslabs/git-secrets
Python script to check HTTP security headers https://github.com/juerkkil/securityheaders
sslyze https://github.com/iSECPartners/sslyze
Sometimes it is important to carefully explore the content of given resources. Here is an excellent, comprehensive Unicode reference https://jrgraphix.net/research/unicode_blocks.php
OK. You found your way to a remote shell or access to arbitrary remote code execution – what next?
- In order to better understand your options, consider what kernel vulnerabilities are present on that target. An option for that is the shell script LES (Linux privilege escalation auditing tool), it is “designed to assist in detecting security deficiencies for a given Linux kernel/Linux-based machine.” https://github.com/The-Z-Labs/linux-exploit-suggester … Before you get too busy with that, you might use it on your own Linux platforms to see if you are vulnerable.
- If you land on a Windows platform: “WES-NG is a tool based on the output of Windows’ systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 11, including their Windows Server counterparts, is supported.” https://github.com/bitsadmin/wesng
You will regularly need to know if something you started is finished, or get notified of an event you are waiting for. ntfy is a fantastic service that lets you send push notifications to your phone or desktop via scripts from any computer, using simple HTTP PUT or POST requests. I use it to notify myself when scripts fail, or long-running commands complete. https://ntfy.sh/
OWASP BLT bug logging tool https://github.com/OWASP-BLT/BLT

Pen testing Linux distros

ArchStrike (idle since 2021) https://archstrike.org
BackBox https://backbox.org/
Blackarch https://blackarch.org/ and https://github.com/BlackArch/blackarch
Caine Security https://www.caine-live.net
DemonLinux https://demonlinux.com/about.php
Fedora Security Lab https://labs.fedoraproject.org/en/security/
Kali https://www.kali.org/
Network Security Toolkit, NST http://www.networksecuritytoolkit.org/nst/index.html
Parrot Security OS https://www.parrotsec.org/
Shell Script to Convert Your Debian Into Parrot OS Pentesting Mach1ne https://github.com/blackhatethicalhacking/parrotfromdebian
Pentoo http://www.pentoo.ch/
mx-live-usb-maker https://github.com/MX-Linux/mx-live-usb-maker and https://github.com/MX-Linux/lum-qt-appimage/releases
and some Security-oriented Docker containers https://github.com/khast3x/Offensive-Dockerfiles
and a cloud-enabled approach to the same idea, RedCloud https://github.com/khast3x/Redcloud
and if you need a little Linux help https://gto76.github.io/linux-cheatsheet/ and https://github.com/gto76/linux-cheatsheet

BPF Tools

Explore your Live Linux Kernel Image - Berkeley Packet Filters & eBPF

BPF Compiler Collection (BCC) - Tools for BPF-based Linux IO analysis, networking, monitoring, and more https://github.com/iovisor/bcc

Online Scanners

yougetsignal http://www.yougetsignal.com/tools/open-ports/
- Reverse IP Domain Check https://www.yougetsignal.com/tools/web-sites-on-web-server/
- Network Location Check https://www.yougetsignal.com/tools/network-location/
viewdns [a range of dns tools] https://viewdns.info/
hackertarget https://hackertarget.com/nmap-online-port-scanner/
- Dump links from a page https://hackertarget.com/extract-links/
- And a range of related tools https://hackertarget.com/ip-tools/
ipfingerprints http://www.ipfingerprints.com/portscan.php
pingeu http://ping.eu/port-chk/
spiderip https://spiderip.com/online-port-scan.php
t1shopper http://www.t1shopper.com/tools/port-scan/
- Whois Ping Port Scanner NSlookup & Traceroute @ t1shopper http://www.t1shopper.com/tools/
standingtech https://portscanner.standingtech.com/
- Convert IP Address to Binary, Hexadecimal, Octal, and Long Integer https://ipaddress.standingtech.com/online-ip-address-converter
Or use a Python-based command-line utility for using websites that can perform port scans on your behalf https://github.com/vesche/scanless

General Secure Programming

Fortify Taxonomy of Secure Software Errors. https://vulncat.fortify.com/en
Awesome App-Sec. A curated list of resources for learning about application security. https://github.com/paragonie/awesome-appsec
Static analysis tools for all programming languages https://github.com/analysis-tools-dev/static-analysis
Awesome Static Analysis - a collection of static analysis tools and code quality checkers. https://github.com/mre/awesome-static-analysis
Python Taint – pyt – A Static Analysis Tool for Detecting common Security Vulnerabilities in Python Web Applications https://github.com/python-security/pyt
Bandit – A security linter for detecting common security vulnerabilities in Python applications https://github.com/PyCQA/bandit
Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including OCI and docker) https://github.com/quay/clair
Awesome CI {Continuation Integration}, Incl. tools for git, file and static source code security analysis - https://github.com/cytopia/awesome-ci
“Avoiding the Top 10 Security Flaws.” Design guidance by the IEEE Center for Secure Design (CSD), http://cybersecurity.ieee.org/center-for-secure-design/avoiding-the-top-10-security-flaws.html
The IEEE Computer Society Center for Secure Design. http://cybersecurity.ieee.org/center-for-secure-design.html
The OWASP Application Security Verification Standard (ASVS) Project attempts to provide a basis for testing web application technical security controls. https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
OWASP Cheat Sheet Series – a collection of high value information on specific web application security topics https://www.owasp.org/index.php/Cheat_Sheets and https://cheatsheetseries.owasp.org/
- Or if just getting the code to work first is your issue: https://github.com/Neklaustares-tPtwP/Resources/tree/main/Cheat%20Sheets
Collection of OWASP Web Application Security Testing Cheat Sheets https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
Web Application Security Guide/Checklist https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Checklist
CSRN Security Checklist for Software Developers https://security.web.cern.ch/security/recommendations/en/checklist_for_coders.shtml
Web Application Security Guide https://en.wikibooks.org/wiki/Web_Application_Security_Guide
DISA Information Assurance Support Environment https://public.cyber.mil/
Security Technical Implementation Guides (STIGs) https://public.cyber.mil/stigs/
Application Security STIGs hhttps://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security
Application Security and Development Security Technical Implementation Guide, Version 5, Release 1 - 26 October 2020 https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_ASD_V5R1_STIG.zip
DoD Cloud Computing Security https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=cloud-security-stigs
IASE Application Security https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_ASD_V5R1_STIG.zip
Excellent STIG viewer https://www.stigviewer.com/stigs
Equally excellent Common Controls viewer https://www.unifiedcompliance.com/products/search-controls/
DOD Instruction 8500.2 Full Control List https://www.stigviewer.com/controls/8500
NIST 800-53 Controls Veiwer https://www.stigviewer.com/controls/800-53
Unified Compliance Hub for navigating the ever-evolving rats nest of public and private mandates https://www.unifiedcompliance.com/products/
http://www.cheatography.com/tag/programming/
PortSwigger’s Cross-site scripting (XSS) cheat sheet https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
A small collection of XSS-Payloads https://github.com/terjanq/Tiny-XSS-Payloads
XSS-Payloads https://github.com/RenwaX23/XSS-Payloads
Awesome XSS https://github.com/s0md3v/AwesomeXSS
XSS Prevention Cheat Sheet from OWASP: [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)Prevention_Cheat_Sheet](https://www.owasp.org/index.php/XSS(Cross_Site_Scripting)_Prevention_Cheat_Sheet)
Fortify Taxonomy of Secure Software Errors. https://vulncat.fortify.com/en
Java Deserialization Cheat Sheet https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
The Offensive 360 Knowledge base https://knowledge-base.offensive360.com/
HTTP Status Codes on-line https://httpstatuses.com/
HTTP Status Codes local https://github.com/mychris/scripts/blob/master/httpstatus
IANA Hypertext Transfer Protocol (HTTP) Status Code Registry http://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
Sometimes it is just important to get started: “Hello world in every computer language.” https://github.com/leachim6/hello-world
And a ‘free’ temporary platform may also be important: “A list of SaaS, PaaS and IaaS offerings that have free tiers of interest to devops and infradev.” https://github.com/haneefmubarak/free-for-dev
Collection of the most common vulnerabilities found in iOS applications https://github.com/felixgr/secure-ios-app-dev
Application logging guidance https://github.com/mccright/references/blob/master/AppSec-Logging.md
AWS logging guidance https://betterdev.blog/aws-lambda-logging-best-practices/
One approach to logging in your shell scripts https://www.cubicrace.com/2016/03/efficient-logging-mechnism-in-shell.html
The TIOBE Index of programming language popularity https://www.tiobe.com/tiobe-index/
A collection of ready-to-deploy-in-AWS Serverless Framework services https://github.com/serverless/examples
An evolving “command-line tool allowing developers to find security vulnerabilities within a Java project.” It incorporates some static analysis (SAST) and some software composition analysis (SCA). https://github.com/xJonah/REPELSEC
A useful script to help manage Java installation and removal on your Linux host https://github.com/chrishantha/install-java
An edge case: Protecting your scripts - PowerShell, Visual Basic (VB), and C# code obfuscation – “A Beginner’s Guide to Obfuscation” https://github.com/BC-SECURITY/Beginners-Guide-to-Obfuscation
Attack-resistant programming requires a threshold understanding of your current language. esolang-box is an “easy and standardized docker images for 200+ esoteric (and non-esoteric) languages.” https://github.com/hakatashi/esolang-box
A Python implementation of RFC 7519. https://github.com/jpadilla/pyjwt

PHP

Awesome PHP. A curated list of PHP libraries, resources and shiny things. https://github.com/ziadoz/awesome-php
http://www.cheatography.com/tag/php/
PHP Security Guide, 2005. http://phpsec.org/projects/guide/
Survive The Deep End: PHP Security, 2015. https://phpsecurity.readthedocs.org/en/latest/
Hacking with PHP -> Securty Concerns. http://www.hackingwithphp.com/17/0/0/security-concerns
PHP The Right Way -> Security. http://www.phptherightway.com/#security
PHP Best Practices – A short, practical guide for common and confusing PHP tasks: https://phpbestpractices.org/

Python

“The Complete Python Development Guide.” https://testdriven.io/guides/complete-python/
Hitchhiker’s Guide to Python https://github.com/realpython/python-guide
- and its ‘Web Applications & Frameworks’ section https://github.com/realpython/python-guide/blob/master/docs/scenarios/web.rst
Python Cheatsheet, comprehensive https://gto76.github.io/python-cheatsheet/ and https://github.com/gto76/python-cheatsheet
Python Cheatsheet https://cheatsheets.quantecon.org/python-cheatsheet.html
another Python CheatSheet - my current favorite https://perso.limsi.fr/pointal/_media/python:cours:mementopython3-english.pdf
A small collection of Python cheatsheets https://github.com/Neklaustares-tPtwP/Resources/tree/main/Cheat%20Sheets/Python%20%26%20All%20Libraries%20Cheat%20Sheets
Python Cheatsheet from kickstartcoding https://github.com/kickstartcoding/cheatsheets/blob/master/build/topical/python.pdf
A neat set of PDF topical Python cheatsheets by the author of “Python Crash Course” by Eric Matthes http://ehmatthes.github.io/pcc/cheatsheets/README.html and another version for the 2nd edition of PCC at https://ehmatthes.github.io/pcc_2e/cheat_sheets/cheat_sheets/
The standard Python resources:
- Main website: https://www.python.org/
- Documentation: https://docs.python.org/
- Developer resources: https://devguide.python.org/
- Downloads: https://www.python.org/downloads/
- Module repository: https://pypi.org/
73 Examples to Help You Master Python’s f-strings https://miguendes.me/73-examples-to-help-you-master-pythons-f-strings
Docker Official Python Images [https://hub.docker.com//python](https://hub.docker.com//python)
A deep dive into the official Docker image for Python https://pythonspeed.com/articles/official-python-docker-image/
The best Docker base image for your Python application (April 2020) tl;dr; Ubuntu LTS or Docker Official Python Debian https://pythonspeed.com/articles/base-image-python-docker-images/
“Docker Best Practices for Python Developers” By Amal Shaji 2021-10-05 https://testdriven.io/blog/docker-best-practices/
“Don’t leak your Docker image’s build secrets.” By Itamar Turner-Trauring, 2021-10-01 https://pythonspeed.com/articles/docker-build-secrets/
unblob parses unknown binary blobs for more than 30 different archive, compression, and file-system formats, extracts their content recursively, and carves out unknown chunks that have not been accounted for – just what is needed to explore docker images: https://github.com/onekey-sec/unblob
PyFormat Using % and .format() https://pyformat.info/
Python’s strftime directives https://strftime.org/
Python’s Pathlib explained https://rednafi.github.io/digressions/python/2020/04/13/python-pathlib.html
Type hints cheat sheet (Python 3) https://mypy.readthedocs.io/en/stable/cheat_sheet_py3.html
Write Pythonic Code Like a Seasoned Developer Course https://training.talkpython.fm/courses/explore_pythonic_code/write-pythonic-code-like-a-seasoned-developer and https://github.com/mikeckennedy/write-pythonic-code-demos
71 Python Code Snippets for Everyday Problems https://therenegadecoder.com/code/python-code-snippets-for-everyday-problems/#checking-if-a-file-exists
30-seconds-of-python - Curated collection of useful Python snippets that you can understand in 30 seconds or less https://github.com/30-seconds/30-seconds-of-python
Packaging Projects with Python https://github.com/russomi/packaging_tutorial and https://packaging.python.org/tutorials/packaging-projects/
MATLAB–Python–Julia cheatsheet https://cheatsheets.quantecon.org/
Awesome Python – A curated list of awesome Python frameworks, libraries and software. Inspired by awesome-php. https://github.com/vinta/awesome-python
Best-of Web Development with Python, curated & ranked list https://github.com/ml-tooling/best-of-web-python
Awesome Python Security https://github.com/guardrailsio/awesome-python-security
Awesome Flask https://github.com/mjhea0/awesome-flask
Python Docker image with poetry as dependency manager. https://github.com/etienne-napoleone/docker-python-poetry
Pythonic Data Structures and Algorithms https://github.com/keon/algorithms
‘All’ Algorithms implemented in Python (“may be less efficient than the implementations in the Python standard library. Use them at your discretion.”) https://github.com/TheAlgorithms/Python
Like the safety of with statements, just not in your code? Let ‘just’ take care of it https://github.com/kootenpv/just
Error-handling examples: https://github.com/ianozsvald/python_exception_examples/blob/master/examples.py
pymg is a CLI tool that can interpret Python files by the Python interpreter and display the error message in a more readable way if an exception occurs https://github.com/mimseyedi/pymg
Datetime examples: https://github.com/ianozsvald/datetime-examples/blob/master/examples.py
Scientific Python Cheatsheet https://ipgp.github.io/scientific_python_cheat_sheet/
“10 Useful Python Data Visualization Libraries for Any Discipline” by Melissa Bierly https://blog.modeanalytics.com/python-data-visualization-libraries/
Counting things in Python http://treyhunner.com/2015/11/counting-things-in-python/
Crypto101: an introductory course on cryptography. https://www.crypto101.io/
The Data Scientist’s Toolbox https://www.coursera.org/learn/data-scientists-tools
Compiler-free Python crypto library https://github.com/wbond/oscrypto
Python library to convert Microsoft Outlook .msg files to .eml/MIME message files https://github.com/JoshData/convert-outlook-msg-file
Understanding iteration in Python https://github.com/wyounas/python_training_hq/tree/master/blog_iterator_code_samples
Virtualenv https://virtualenv.pypa.io/en/latest/installation.html and a how-to https://www.youtube.com/watch?v=N5vscPTWKOk
Along with related/supporting projects:
- virtualenvwrapper - a useful set of scripts for creating and deleting virtual environments https://pypi.org/project/virtualenvwrapper
- pew: provides a set of commands to manage multiple virtual environments https://pypi.org/project/pew
- tox: a generic virtualenv management and test automation command line tool, driven by a tox.ini configuration file https://pypi.org/project/tox
- nox: a tool that automates testing in multiple Python environments, similar to tox, driven by a noxfile.py configuration file https://pypi.org/project/nox
- And a how-to https://www.youtube.com/watch?v=N5vscPTWKOk
How to write good quality Python code with GitHub Actions. By Wojciech Krzywiec https://medium.com/@wkrzywiec/how-to-write-good-quality-python-code-with-github-actions-2f635a2ab09a
Automating Every Aspect of Your Python Project https://martinheinz.dev/blog/17
An open-source chart and map framework for realtime data https://github.com/pubnub/eon
Datagen - create sample delimited data using a simple schema format so you can get to work https://github.com/toddwilson/datagen
An asynchronous tasks library using asyncio https://github.com/joegasewicz/pytask-io
Render local readme files before sending off to GitHub https://github.com/joeyespo/grip and a sample Python script to generate bulk documentation https://gist.github.com/mrexmelle/659abc02ae1295d60647
A general purpose Python automatization library with real-time web UI https://github.com/tuomas2/automate
tmux session manager https://github.com/tmux-python/tmuxp
web.py is a web framework for Python that is as simple as it is powerful. https://github.com/webpy/webpy
Need to upgrade ad-hoc calls to Requests with a client-side API for your apps? https://github.com/prkumar/uplink
A basic spreadsheet to api engine https://github.com/18F/autoapi
Blog with git https://github.com/joeyespo/gitpress
deadlinks - link checker https://github.com/butuzov/deadlinks
A rough RSS/Atom feed parser https://github.com/dcramer/feedreader
pyautogit https://github.com/jwlodek/pyautogit
Library of 60+ commonly-used validator functions https://github.com/insightindustry/validator-collection
A python library for parsing multiple types of config files, envvars & command line arguments https://github.com/naorlivne/parse_it
Some examples of how to use the Python module ‘configparser‘ https://github.com/revfran/pythonConfigParsing, https://github.com/VakinduPhilliam/Python_Configuration_Parser
Search for strings in source code - at scale https://github.com/s0md3v/hardcodes
Present data in tables on your terminal https://github.com/Robpol86/terminaltables
Another tool for presenting data in tables https://github.com/jazzband/prettytable
Progress bar https://github.com/verigak/progress
present: A terminal-based presentation tool with colors and effects. https://github.com/vinayak-mehta/present
Color your script output with https://github.com/gvalkov/python-ansimarkup or on Windows with https://pypi.python.org/pypi/colorama
Colorpedia - a command-line tool for looking up colors, shades and palettes https://github.com/joowani/colorpedia
“Python requests is slow and takes very long to complete HTTP or HTTPS request” – This is fantastic troubleshooting guidance and advice! https://stackoverflow.com/questions/62599036/python-requests-is-slow-and-takes-very-long-to-complete-http-or-https-request
nmappy may not be the right scanner for you, but you might find its Python source code might be interesting as it attempts to solve a range of network-centric challenges: https://github.com/bitsadmin/nmappy/blob/master/nmappy.py
“Building a Full Stack Application with Flask and HTMx” https://codecapsules.io/docs/tutorials/build-flask-htmx-app/ and https://github.com/codecapsules-io/demo-flask-htmx
Generate random user agent strings
- https://pypi.org/project/random-user-agent/
- https://pypi.org/project/requests-random-user-agent/
- https://pypi.org/project/fake_user_agent/
- https://pypi.org/project/uas/
Now that you have a pile of Python code, here is a utility to build presentations out of Python code: pysentation, a CLI for displaying Python presentations https://github.com/mimseyedi/pysentation

Markdown

https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet
https://docs.github.com/en/get-started/writing-on-github
https://bitbucket.org/tutorials/markdowndemo
Markdown Cheatsheet http://commonmark.org/help/
https://guides.github.com/pdfs/markdown-cheatsheet-online.pdf
GitHub Flavored Markdown Spec https://github.github.com/gfm/
Another GitHub Flavored Markdown cheatsheet https://github.com/tchapi/markdown-cheatsheet
Collection of static site generators https://jamstack.org/generators/ and https://staticsitegenerators.net/

JavaScript

Very basic http://marijnhaverbeke.nl/js-cheatsheet.html
http://www.cheatography.com/acwinter/cheat-sheets/javascript-basic-advanced-and-more/ and
http://www.cheatography.com/tag/javascript/ and
http://www.sitepoint.com/10-javascript-cheat-sheets/
Learning JavaScript Design Patterns. Volume 1.6.2, By Addy Osmani https://addyosmani.com/resources/essentialjsdesignpatterns/book/
Programming JavaScript Applications. By Eric Elliott http://chimera.labs.oreilly.com/books/1234000000262/index.html
Cheatsheets for experienced React developers getting started with TypeScript https://github.com/typescript-cheatsheets/react-typescript-cheatsheet
Node: Up and Running. By Tom Hughes-Croucher and Mike Wilson http://chimera.labs.oreilly.com/books/1234000001808/index.html
Narrative workbook – This is a companion workbook that will assist you in working through the codeX Narrative that is to be provided. Resources and references provided that will assist you in your journey will be published in the repository. https://github.com/codex-academy/codeX_ReleaseOneNarrativeWorkbook
“Don’t make fun of JavaScript” https://github.com/pixari/dmfojs

Crypto

Matthew Green’s List of Crypto Resources: http://blog.cryptographyengineering.com/
Crypto101: an introductory course on cryptography. https://www.crypto101.io/
A good place to get an overview of the correct tools to use for modern cryptography is “(Updated) Cryptographic Right Answers” by Thomas Ptacek (Thank you William Bond): https://gist.github.com/tqbf/be58d2d39690c3b366ad
Peter Gutmann (a researcher at the University of Auckland) assembled his “godzilla crypto tutorial,” including 973 slides in 12 parts at: https://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html Although this material is not new, it still seems like a resource that will be of value to many.
pyca/cryptography - A package providing cryptographic recipes and primitives to Python developers, with the goal of being your “cryptographic standard library”. https://github.com/pyca/cryptography
A fast, pure Python library for parsing and serializing ASN.1 structures. https://github.com/wbond/asn1crypto
Compiler-free Python crypto library https://github.com/wbond/oscrypto
PyNaCl: Python binding to the libsodium library https://github.com/pyca/pynacl
The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis https://gchq.github.io/CyberChef and https://github.com/gchq/CyberChef
- Here is an example of using CyberChef to to deobfuscate malware: “Advanced Cyberchef Techniques - Defeating Nanocore Obfuscation With Math and Flow Control”
Or search for other projects (there are lots of them) with: https://github.com/search?q=cryptography&type=repositories
RFC 9180 Hybrid public-key encryption (HPKE) See a useful overview from CloudFlare: https://blog.cloudflare.com/hybrid-public-key-encryption/.
- “TL;DR - Hybrid Public Key Encryption.”
- “Hybrid Public Key Encryption: My Involvement in Development and Analysis of a Cryptographic Standard.”
- And a Python implementation of draft version 1 at: https://github.com/dwd/crypto-examples/blob/master/hpke.py.

Regex

Test your regex on line: https://regex101.com/ or
test your regex with: https://pythex.org/
test and visualize your regex with: https://extendsclass.com/regex-tester.html
Test your JavaScript style regex: https://regexper.com/
Test your Python style regex: https://pythonium.net/regex
OWASP Validation Regex Repository https://www.owasp.org/index.php/OWASP_Validation_Regex_Repository
A really big collection of regex resources http://regexlib.com/
http://www.cheatography.com/davechild/cheat-sheets/regular-expressions/ and
http://www.cheatography.com/tag/regex/
Another collection of examples: http://www.regular-expressions.info/examples.html
Includes a collection of regexes for apikeys/tokens https://github.com/m4ll0k/SecretFinder/blob/master/BurpSuite-SecretFinder/SecretFinder.py
“Regular Expressions: Regexes in Python” by John Sturtz https://realpython.com/regex-python/ and part 2 https://realpython.com/regex-python-part-2/
Related… Personally Identifiable Information (PII) Redactor shell script https://github.com/infinite-omicron/pii-redactor/blob/master/pii_redactor.sh

DOS/Windows Shell

Guide to Batch Scripting http://steve-jansen.github.io/guides/windows-batch-scripting/

Information Sources for your Security Investigations

A starter list of information sources for your security investigations & integrations:
(Thank you https://github.com/cloudtracer/ThreatPinchLookup)

What defines a “material” cybersecurity incident? Lacework released a Securities and Exchange Commission (SEC) materiality framework paper https://www.lacework.com/resource/sec-materiality-framework.html
Awesome OSINT https://github.com/jivoi/awesome-osint
Ammar Amer’s OSINT resources https://github.com/blaCCkHatHacEEkr/OSINT_TIPS
Discover Your Attack Surface https://github.com/intrigueio/intrigue-core
Alienvault OTX for IPv4, CVE, MD5, SHA1 and SHA2 lookups https://otx.alienvault.com/
Bitcoin Whos Who for Bitcoin lookups http://bitcoinwhoswho.com/
BlockChain.info for Bitcoin lookups https://blockchain.info/
BTC for Bitcoin lookups https://btc.com/
Censys.io for IPv4 lookups https://censys.io/
CIRCL (Computer Incident Response Center Luxembourg) for CVE lookups https://www.circl.lu/
Google Safe Browsing for URL lookups https://safebrowsing.google.com/
Have I Been Pwned for Email lookups https://haveibeenpwned.com
IBM XForce Exchange for IPv4, EFQDN lookups [https://exchange.xforce.ibmcloud.com
IP Geo Tool {free} for your script integration: https://tools.keycdn.com/geo.json?host={IP or hostname} Important: See https://tools.keycdn.com/geo for configuring your request header User-Agent string correctly.
MISP for MD5 and SHA2 http://www.misp-project.org/
- Also consider MISP Taxonomies for your integration work https://github.com/MISP/misp-taxonomies/
PassiveTotal for FQDN Whois lookups https://www.passivetotal.org/
PulseDive for IPv4, FQDN and URL lookups https://pulsedive.com/
Recorded Future for IPv4, FQDN, MD5, SHA1 and SHA2 lookups http://recordedfuture.com/
For IP lookups and much more:
- Shodan https://www.shodan.io/
  - Search Query Fundamentals: https://help.shodan.io/the-basics/search-query-fundamentals
  - REST and Streaming API Queries: https://developer.shodan.io/api/banner-specification
  - Docker image to run Shodan CLI: https://github.com/crazy-max/docker-shodan
- Greynoise https://viz.greynoise.io/trends
- ZoomEye for IPv4 lookups https://www.zoomeye.org/
- Cloud IP Ranges https://github.com/nccgroup/cloud_ip_ranges
- CDN IP Ranges https://github.com/six2dez/ipcdn
ThreatCrowd for IPv4, FQDN and MD5 lookups https://www.threatcrowd.org/
ThreatMiner: IPv4, Email, FQDN, MD5, SHA1 and SHA2 lookups https://www.threatminer.org/
Wigle for WiFi https://wigle.net/
Sourcecode Search https://publicwww.com/
Utility to identify active committers participating in targeted repositories or github.com organizations. https://github.com/kaakaww/contributors_tool
Find professional email addresses https://hunter.io/
VirusTotal for MD5, SHA1, SHA2, URL and FQDN lookups https://www.virustotal.com/
Buster, An advanced tool for email reconnaissance https://github.com/sham00n/buster
WayBulk, Search a list of domains on the wayback machine https://github.com/sham00n/waybulk
General outline of information about a specific host or domain https://webrate.org/site/website-hostname/ (replace “website-hostname” with your target.)
Bluetooth “Wall of Sheep.” “A little app that discovers bluetooth devices near by and displays them on a board.” https://github.com/skittleson/bluetooth-wos

Math and Statistics

Statistics in Pandas Cheatsheet https://cheatsheets.quantecon.org/stats-cheatsheet.html
Manish Saraswat’s list of Free books on statistics mathematics data science http://www.analyticsvidhya.com/blog/2016/02/free-read-books-statistics-mathematics-data-science/
Chen’s Free Data Science Books http://www.wzchen.com/data-science-books/
balban’s Free Statistics Books https://github.com/balban/Books/tree/master/Statistics
“Unsupervised Cross-lingual Representation Learning at Scale” by Alexis Conneau and Kartikay Khandelwal, et.al. https://arxiv.org/pdf/1911.02116.pdf
“What Is a Time-Series Plot, and How Can You Create One?” https://www.timescale.com/blog/what-is-a-time-series-plot-and-how-can-you-create-one/
“How to Work With Time Series in Python?” https://www.timescale.com/blog/how-to-work-with-tim/
“Tools for Working With Time-Series Analysis in Python” https://www.timescale.com/blog/tools-for-working-with-time-series-analysis-in-python/
Complete guide to create a Time Series Forecast (Python) http://www.analyticsvidhya.com/blog/2016/02/time-series-forecasting-codes-python/ and in R http://www.analyticsvidhya.com/blog/2015/12/complete-tutorial-time-series-modeling/
functime is a Python library for production-ready global forecasting and time-series feature engineering (comes with time-series preprocessing (box-cox, differencing etc), cross-validation splitters (expanding and sliding window), and forecast metrics (MASE, SMAPE etc)) https://github.com/descendant-ai/functime
Mathics is a general-purpose computer algebra system (CAS). The mathics-core repository contains just the Python modules for WL Built-in functions, variables, core primitives, e.g. Symbol, a parser to create Expressions, and an evaluator to execute them. https://github.com/Mathics3/mathics-core

Text to Speech / Speech to Text

eSpeak NG https://github.com/espeak-ng/espeak-ng
Using eSpeak and eSpeakNG https://vitux.com/convert-text-to-voice-with-espeak-on-ubuntu/
eSpeak NG TTS Bindings for Python3 https://github.com/sayak-brm/espeakng-python
Larynx – This engine provides a complete text-to-speech solution for 9 languages in as many as 50 voices and can be used without any proprietary cloud services (each voice is roughly 250MB). This project includes an easy path using a Docker image. https://github.com/rhasspy/larynx
RealtimeTTS is a state-of-the-art text-to-speech (TTS) library designed for real-time applications. It stands out in its ability to convert text streams fast into high-quality auditory output with minimal latency. https://github.com/KoljaB/RealtimeTTS
- Also see its cousin, RealtimeSTT “Easy-to-use, low-latency speech-to-text library for realtime applications.” https://github.com/KoljaB/RealtimeSTT
Speech-to-text app “Linguflex” includes local TTS. https://github.com/KoljaB/Linguflex
NanoTTS: Speech synthesizer commandline utility (Thank you Gregory Naughton) https://github.com/gmn/nanotts

Random Cheat Sheets

Cheat Sheets from a terminal via curl: http://cheat.sh/
OWASP Cheat Sheet Series index: https://github.com/OWASP/CheatSheetSeries/blob/master/Index.md and https://cheatsheetseries.owasp.org/
Massive list of links to lists associated with programming and languages https://neverendingsecurity.wordpress.com/category/documents-manuals/mind-maps/
SQL Injection Cheat Sheet https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
Collection of SQL Injection Cheat Sheets https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
Random reminder of how SQL Joins work. http://blog.codinghorror.com/a-visual-explanation-of-sql-joins/ Browse the comments as well. And if that doesn’t do it, try http://gplivna.blogspot.com/2008/01/sql-join-types-im-studying-bit-sql.html
“awesome-incident-response” a curated list of tools and resources for security incident response https://github.com/meirwah/awesome-incident-response
Incident “Debriefing Facilitation Guide – Leading Groups at Etsy to Learn From Accidents.” by: John Allspaw, Morgan Evans, Daniel Schauenberg; 2016 http://extfiles.etsy.com/DebriefingFacilitationGuide.pdf and in MarkDown format: https://github.com/etsy/DebriefingFacilitationGuide
“Digital Services Playbook.” https://playbook.cio.gov/ and the source in MarkDown at: https://github.com/usds/playbook
101 Machine Learning Algorithms for Data Science with Cheat Sheets https://blog.datasciencedojo.com/machine-learning-algorithms/
An extensive list of filetypes and the application(s) associated with them https://github.com/vscode-icons/vscode-icons/wiki/ListOfFiles

Several Tech Company Research & Security Blogs

AppScan Standard and AppScan Enterprise Forum http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1320&start=0
Fortify AppSecurity Blog https://community.microfocus.com/cyberres/tags/Fortify
Fortify Security Research Blog https://community.microfocus.com/cyberres/b/off-by-on-software-security-blog
HP AppSecurity Feed https://twitter.com/HPappsecurity
IBM Security-Intelligence Feed http://securityintelligence.com/
IBM Research News http://ibmresearchnews.blogspot.com/
IBM Research Home http://www.research.ibm.com/
IBM Community Blogs https://www-304.ibm.com/connections/communities/service/html/allcommunities
IBM DeveloperWorks Blogs – Recent Updates https://www.ibm.com/developerworks/
Microsoft Research Blogs https://www.microsoft.com/en-us/research/blog/
Microsoft Cybersecurity Blog https://www.microsoft.com/security/blog/
Microsoft Office365 Developer Blog https://developer.microsoft.com/en-us/office supported by https://github.com/OfficeDev
Google Online Security Blog http://googleonlinesecurity.blogspot.com/
Google AppSecurity Research https://www.google.com/about/appsecurity/research/ and supporting details at https://code.google.com/p/google-security-research/issues/list?can=1
PortSwigger (Burp) Blog http://blog.portswigger.net/
Apple Research News/Blog/Home oops, I guess there aren’t any security blogs here But Apple hubris is in the press – Here is a page with links to journalism on the Pegasus Project: https://www.msnbc.com/rachel-maddow-show/pegasus-project-media-index-n1274437

Respect software author’s license decisions

Software licensing explained https://en.wikipedia.org/wiki/Software_license
Comparison of free and open-source software licenses http://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licenses
Open Source Initiative list of links to license information http://opensource.org/licenses
“Various Licenses and Comments about Them” from GNU http://www.gnu.org/philosophy/license-list.html
“Software Licenses in Plain English – Lookup popular software licenses summarized at-a-glance.” https://tldrlegal.com/

Various public documents, whitepapers and articles about APT campaigns

APTnotes is a repository of publicly-available papers and blogs (sorted by year) related to malicious campaigns/activity/software that have been associated with vendor-defined APT (Advanced Persistent Threat) groups and/or tool-sets. https://github.com/aptnotes/data or go directly to the resource links at https://github.com/aptnotes/data/blob/master/APTnotes.csv

Verify those shortened URLs

https://tinyurl.com/preview.php
http://checkshorturl.com/
URL-Expander / URL-Unshortener http://urlex.org/

Find the code you need

In a hurry? Try asking OpenAI’s ChatGPT to write what you need: https://chat.openai.com/chat
Awesome Algorithms – A curated list of awesome places to learn and/or practice algorithms https://github.com/tayllan/awesome-algorithms
Open Source resource for learning Data Structures & Algorithms and their implementation in any Programming Language https://github.com/TheAlgorithms
http://c2.com/cgi/wiki?FindPage
A large collection of sorting algorithms in many languages https://github.com/search?q=sorting+algorithms&ref=reposearch&utf8=%E2%9C%93
Competitive Programming, algorithms and data structures https://algocoding.wordpress.com/

Then copy & morph

virtualenv is a tool to create isolated Python environments https://virtualenv.pypa.io/en/latest/
A relatively quick Python Numpy Tutorial by Justin Johnson. http://cs231n.github.io/python-numpy-tutorial/

Risk Management Frameworks

Financial Services Sector “Cybersecurity Profile” - 280 ‘diagnostic statements’ https://www.fsscc.org/Financial-Sector-Cybersecurity-Profile
NIST SP-800-53 v4

Stay Informed

(in no particular order - and thank you Joe Fleischman for the starter set)

Krebs On Security http://krebsonsecurity.com/
Schneier on Security https://www.schneier.com/
IBM X-Force Home http://securityintelligence.com/topics/x-force/
Security Bloggers Network https://securityboulevard.com/sbn/
News from NetCraft https://news.netcraft.com/ and their security category at https://news.netcraft.com/archives/category/security/
Help Net Security http://www.net-security.org/secworld_main.php
Malwarebytes Blog https://blog.malwarebytes.org/
Sophos NakedSecurity Blog https://nakedsecurity.sophos.com/
FreedomHacker http://freedomhacker.net/
Wired Threat Level http://www.wired.com/category/threatlevel
Homeland Security News Wire http://www.homelandsecuritynewswire.com/topics/cybersecurity
CNET http://www.cnet.com/topics/security/
Threat Post https://threatpost.com/
SC Magazine http://www.scmagazine.com/news/section/100/
Reddit (cybersecurity) http://www.reddit.com/r/cybersecurity/
Mashable (cybersecurity) http://mashable.com/category/cybersecurity/
Fierce IT Security http://www.fierceitsecurity.com/
(and for more details)
1 Raindrop http://1raindrop.typepad.com/1_raindrop/
Information Week Dark Reading http://www.darkreading.com/
Dark Reading aggregation of news about attacks and breaches https://www.darkreading.com/attacks-breaches.asp
White Hat Security Blog https://www.whitehatsec.com/blog/
Sucuri Blog https://blog.sucuri.net/
FireEye Blog https://www.fireeye.com/blog/threat-research.html
SANS Security Awareness Blog http://www.securingthehuman.org/blog
SANS Digital Forensics Blog http://digital-forensics.sans.org/blog
SEI Blog https://insights.sei.cmu.edu/blog/
System Forensics http://www.sysforensics.org/
System Admin, Powershell (inactive) http://sysadminconcombre.blogspot.ca/
BOT24 http://www.bot24.com/
DDoS Illustrations at http://www.digitalattackmap.com/ Thank you Diego Navarro.
Kite Blog: https://kite.com/blog
AWS Week in Review: https://aws.amazon.com/blogs/aws/tag/week-in-review/
Center for the Study of Intelligence (CSI) Books and Monographs. https://www.cia.gov/resources/csi/books-and-monographs/

Software Defined Radio (SDR)

Overview: http://microhams.blob.core.windows.net/content/2017/03/RTL-SDR-dongle.pdf
FISSURE – Frequency Independent SDR-based Signal Understanding and Reverse Engineering – an open-source RF and reverse engineering framework for signal detection and classification, protocol discovery, vulnerability analysis and more https://github.com/ainfosec/FISSURE
Big List of SDR Applications: https://wiki.radioreference.com/index.php/SDR_Software_Applications
PDW (Paging decoder for monitoring POCSAG, FLEX, ACARS, MOBITEX & ERMES pager traffic): http://www.discriminator.nl/pdw/index-en.html and https://github.com/Discriminator/PDW
Unitrunker: http://www.unitrunker.com/ (pager RF-to-text?). Manuals at: http://utahradio.org/mediawiki/index.php/UniTrunker_Guide and http://www.unitrunker.com/windows.html and http://www.unitrunker.com/realtek.html
Supported protocols (definitions at: http://wiki.radioreference.com/):
o APCO P25
o EDACS 4800
o EDACS 9600
o Motorola
o MPT1327
SDRTrunk
DMRDecode
?? Digital Speech Decoder (software package)
R820T (integrated multi‐band RF tuner IC implemented in CMOS) data sheet: https://www.rtl-sdr.com/wp-content/uploads/2013/04/R820T_datasheet-Non_R-20111130_unlocked1.pdf
Rafael Micro R820T2 Data Sheet (24-1766 MHz, newer lower noise version of the R820T): Some info in https://www.rtl-sdr.com/wp-content/uploads/2018/02/RTL-SDR-Blog-V3-Datasheet.pdf and register descriptions here: https://www.rtl-sdr.com/r820t2-register-description-data-sheet-now-available/ and https://www.rtl-sdr.com/wp-content/uploads/2016/12/R820T2_Register_Description.pdf
Source Code examples for interacting with the R820TU: https://github.com/emeb/r820t2/tree/master/f030_r820t2
“Hello, world!” for GNSS-SDR: http://gnss-sdr.org/my-first-fix/
Dump 1090 is a Mode S decoder specifically designed for RTLSDR devices https://github.com/antirez/dump1090
An improved webinterface for use with ADS-B decoders readsb / dump1090-fa https://github.com/wiedehopf/tar1090

Temporary list for new work tools

Review this Awesome Docker list/resource from time to time: https://github.com/veggiemonk/awesome-docker
Review this Awesome Remote Job list/resource to see if there is anything useful to me: https://github.com/lukasz-madon/awesome-remote-job
Top-like interface for container metrics - ctop provides a concise and condensed overview of real-time metrics for multiple containers https://github.com/bcicen/ctop or one of the others at https://github.com/veggiemonk/awesome-docker/blob/master/README.md#terminal
A collection of minimal Docker images: https://github.com/vektorcloud
Another collection of specialized Docker images: https://github.com/jessfraz/dockerfiles
A collection of Docker files from CenturyLink Labs: https://github.com/CenturyLinkLabs?q=&type=&language=dockerfile
Awesome-Security: https://github.com/sbilly/awesome-security
Awesome console services https://github.com/gnebbia/awesome-console-services
‘The Book of Secret Knowledge’ - A collection of inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, cli/web tools and more: https://github.com/trimstray/the-book-of-secret-knowledge
A pair of tools for running phishing campaigns to raise security awareness: Swordphish Phishing Awareness Tool https://github.com/certsocietegenerale/swordphish-awareness/ and the Outlook add-in companion to report suspicious mail easily https://github.com/certsocietegenerale/NotifySecurity
W3C HTML Tidy - Usage: ‘curl someURL Tidy -iq’ http://www.html-tidy.org/ and https://github.com/htacg/tidy-html5
CanaryTokens https://canarytokens.org/generate
Canary (a ‘honeypot’ appliance) https://canary.tools/
WebSphere Password Decoders: http://strelitzia.net/wasXORdecoder/wasXORdecoder.html
Conference Session Search Service - Con Collector (broken) but they still list conferences https://www.thinkst.com/ts.html
Some Open Source Network Monitoring Tools:
- Snort: https://www.snort.org/downloads
- Suricata: https://suricata-ids.org/
- Bro: https://www.bro.org/
- OSSEC - Open Source HIDS SECurity https://ossec.github.io/
Lists of IP addresses by Country - use to block or to assess your log data, etc. http://www.ipdeny.com/ipblocks/
Words are important, choose them well https://wordnik.com/
Check a site or service https://www.hurl.it/
G Suite Toolbox Browserinfo – very handy https://toolbox.googleapps.com/apps/browserinfo/
A useful set of app-friendly utilities https://httpbin.org/, for example, what is your current IP address https://httpbin.org/ip
A fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests https://github.com/m57/dnsteal
A collection of default Oracle usernames and passwords https://github.com/Oweoqi/oracle_creds
Sometimes you need a little local web server https://github.com/kzahel/web-server-chrome
Sometimes only ASCII is needed/allowed – Convert a HTML table into ASCII table using Python: Colspan and Rowspan allowed https://github.com/gustavklopp/DashTable
Reference (probably dated, but better than nothing) List of all generic top level domains https://github.com/kyleconroy/gtlds
FuzzDB Project https://github.com/fuzzdb-project/fuzzdb
Free IP geolocation API: ‘curl http://api.db-ip.com/v2/free/IP-Address’ or curl http://api.db-ip.com/v2/free/IP-Address/countryName [up to 1000/day]
GetGeoIPContext web service to easily look up countries by Context http://www.webservicex.net/geoipservice.asmx/GetGeoIPContext? (Caution: as of October 2021, they are using a self-signed certificate)
GetGeoIP web service to easily look up countries by IP address http://www.webservicex.net/geoipservice.asmx/GetGeoIP?IPAddress=string
Get domain name registration record by Host Name / Domain Name (WhoIS) http://www.webservicex.net/whois.asmx/GetWhoIS?HostName=string
Get weather report for any major cities around the world http://www.webservicex.net/globalweather.asmx/GetWeather?CityName=string&CountryName=string
A much better way to get weather! …in your terminal https://github.com/chubin/wttr.in and then try some one-liners, for example:
- ~$ curl https://wttr.in/yourCity?format=”%l:+%t+%w+%h+%f”
- in your .bashrc: alias weather=’curl https://wttr.in/yourCity’
A high-functioning command line tool that displays the current weather (from OpenWeather) in the terminal written in Rust https://github.com/gourlaysama/girouette
Website style analyzer for designers http://stylifyme.com/ and source at: https://github.com/micmro/Stylify-Me
A python script that generates different sizes favicons from one image https://github.com/Hecsall/favicon-generator

Bash Shell

https://github.com/alebcay/awesome-shell
Bash scripting CheatSheet https://devhints.io/bash
Bash for the shell novice:
- http://swcarpentry.github.io/shell-novice/
- https://help.ubuntu.com/community/Beginners/BashScripting
Shell script static analysis tool – a lint for bash/sh/zsh shellcheck
Pure Bash Bible https://github.com/dylanaraps/pure-bash-bible
Bash Strict Mode by Aaron Maxwell http://redsymbol.net/articles/unofficial-bash-strict-mode/
Slack CLI via pure bash https://github.com/rockymadden/slack-cli
https://github.com/herrbischoff/awesome-osx-command-line
A beginner’s guide to setting up a development environment on macOS https://github.com/nicolashery/mac-dev-setup
A collection of one-liners https://github.com/jlevy/the-art-of-command-line#one-liners

Misinformation / Disinformation are Rampant – Check Those ‘Facts’

AP Fact Check: https://www.ap.org/
Check Your Fact: https://checkyourfact.com/
El Detector / Univision Noticias: https://www.univision.com/especiales/noticias/detector/
FactCheck.org, Annenberg Public Policy Center: https://www.factcheck.org/
MediaWise: https://www.poynter.org/mediawise/
Politifact: http://www.politifact.com/
Snopes: https://www.snopes.com/
T Verifica (Noticias Telemundo): https://www.telemundo.com/noticias/t-verifica
The Dispatch Fact Check: https://thedispatch.com/
Washington Post Fact Checker: https://www.washingtonpost.com/news/fact-checker/

This is a subset of the longer list at: https://ifcncodeofprinciples.poynter.org/signatories

Development Environment on a Mac

A beginner’s guide to setting up a development environment on macOS https://github.com/nicolashery/mac-dev-setup
“A shell script which turns your Mac into an awesome web development machine.” https://github.com/18F/laptop

There is probably some free training for that…

Find a class at https://www.classcentral.com/search or https://www.classcentral.com/subjects
Find out about assistance at: https://www.classcentral.com/help/moocs
- By universities (1301 on 16 Jan 2023): https://www.classcentral.com/universities
- By sub-groups of universities: https://www.classcentral.com/collection/ivy-league-moocs
- By commercial Institutions (1721 on 16 Jan 2023): https://www.classcentral.com/institutions
Free Online Learning Due to Coronavirus - ClassCentral maintains a list of temporarily free courses at: https://www.classcentral.com/report/free-online-learning-coronavirus/
M.I.T. offers free content on OpenCourseWare: https://ocw.mit.edu/index.htm
Open Culture lists more than 1,500 courses: http://www.openculture.com/freeonlinecourses
Coursera https://www.coursera.org/ and https://www.classcentral.com/report/coursera-free-certificate-covid-19/
edX https://www.edx.org/
FutureLearn https://www.futurelearn.com/ and https://www.classcentral.com/report/futurelearn-free-certificates/
Udacity https://www.udacity.com/
Udemy https://www.udemy.com/courses/free/
Upgrad https://www.upgrad.com/free-courses/
Full reference of LinkedIn answers 2021 for skill assessments, LinkedIn test, questions and answers https://github.com/Ebazhanov/linkedin-skill-assessments-quizzes

Quantum Computing Resources

Here are some resources to learn more about this topic:

Open-Source Quantum Development. Qiskit [quiss-kit] is an open-source SDK for working with quantum computers at the level of pulses, circuits, and application modules. (Python 3.7+ in a virtual environment with Anaconda) quiskit
IBM Quantum Lab https://quantum-computing.ibm.com/lab
I have some old, unmaintained resources at https://github.com/mccright/rand-notes/blob/master/quantum-computing.md

Temporary list for work tools or other resources requiring more follow-up

SVAR - Simple Voice Activated Recorder. https://github.com/Arkq/svar
Alien invasion shoot-em-up that runs in a terminal with bash (everyone needs a break once in a while): https://github.com/vaniacer/piu-piu-SH/
Center for the Study of Intelligence (CSI) Books and Monographs. https://www.cia.gov/resources/csi/books-and-monographs/
The Rust-lang Book https://github.com/rust-lang/book
An architecture decision record (ADR) is a document that captures an important architecture decision made along with its context and consequences. Joel Parker Henderson has a lot of resources to get you started at: https://github.com/joelparkerhenderson/architecture-decision-record/tree/main
How have I known about ripgrep (rg) - an excellent ‘grep’ for searching through files in a directory tree? https://github.com/BurntSushi/ripgrep
Get Windows Token Information https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-OSTokenInformation.ps1
flaskql-playground https://github.com/cmpilato/flaskql-playground
also look into https://github.com/yangyuexiong/Flask_BestPractices
and this little model Flask app: https://github.com/gmn/PythonWeb/
fedy: Fedora post-install tool to install multimedia codecs and additional software that Fedora doesn’t want to ship, like H264 support, Adobe Flash (don’t do Flash unless it is absolutely necessary for some materially-important purpose), Oracle Java etc., and much more with just a few clicks https://github.com/rpmfusion-infra/fedy
Sometimes you are given data with no description of its layout/nature. Here are two data exploration utilities:
Flenser https://github.com/JohnMcCambridge/flenser
Lux https://github.com/lux-org/lux
Begone Ads [Python] https://github.com/anned20/begoneads/tree/master/begoneads
Raspberry Pi: Tutorials, Models, How to Get Started by Avram Piltch, Tom’s Hardware https://www.tomshardware.com/news/raspberry-pi
READ: “A Building Code for Building Code – Putting What We Know Works to Work.” By Carl E. Landwehr. http://www.landwehr.org/2013-12-cl-acsac-essay-bc.pdf
Tufin http://www.tufin.com/
Viewfinity http://www.viewfinity.com/
Check Various tools for testing RFC 5077 https://github.com/vincentbernat/rfc5077
Check interactive SNMP tool with Python https://github.com/vincentbernat/snimpy
layer 2 network discovery application https://github.com/vincentbernat/wiremaps
What Port Is? https://github.com/ncrocfer/whatportis
Java 8 Cheat Sheet: http://zeroturnaround.com/wp-content/uploads/2015/12/RebelLabs-Java-8-cheat-sheet.png
Crypto101: an introductory course on cryptography. https://www.crypto101.io/
Handy list of browser user-agent strings (long) in PHP code: https://github.com/smxi/php-browser-detection/blob/master/browser_detection.inc
7500 user-agent strings from Jerry Gamblin https://github.com/jgamblin/curluseragent/blob/master/ua.txt
Another list (short) of UA strings, categorized by device types https://github.com/miketaylr/useragent-switcher-xml/blob/master/useragentswitcher.xml
Google Fiber Wifi Data Presentation http://apenwarr.ca/diary/wifi-data-apenwarr-201602.pdf and related utilities: https://gfiber.googlesource.com/vendor/google/platform/+/master/spectralanalyzer/ & https://github.com/apenwarr/wavedroplet/ & blip https://github.com/apenwarr/blip/
blip latency trending utility https://github.com/apenwarr/blip hosted at http://gfblip.appspot.com/ and the DNS-aware version don’t have this hosted at http://6-dot-gfblip.appspot.com))
Performance-Bookmarklet helps to analyze the current page through the Resource Timing API, Navigation Timing API and User-Timing - requests by type, domain, load times, marks and more. https://github.com/micmro/performance-bookmarklet
mitmproxy is an interactive, SSL/TLS-capable intercepting proxy with a console interface for HTTP/1, HTTP/2, and WebSockets. A free and open source swiss-army knife for debugging, testing, privacy measurements, and penetration testing. https://github.com/mitmproxy/mitmproxy
Transparent proxy server https://github.com/apenwarr/sshuttle
Packet decoding for the Go language https://github.com/apenwarr/gopacket and https://github.com/google/gopacket
Here is a useful starter Flask-and-SQLite tutorial https://flask.palletsprojects.com/en/3.0.x/patterns/sqlite3/
Very fast C++ importer from csv files to sqlite3 databases https://github.com/apenwarr/csv2sqlite
A feature-packed Python package and for utilizing SQLite in Python by Plasticity https://github.com/plasticityai/supersqlite
An idea for csv-to-json {csv2json.py} https://github.com/apenwarr/afterquery/blob/master/csv2json.py
“Structured text tools” – A useful list of text-based file formats and command line tools for manipulating each https://github.com/dbohdan/structured-text-tools
Text Tools https://github.com/fmhy/FMHY/wiki/%F0%9F%94%A7-Tools#-text-tools and more generally “[tools](https://github.com/fmhy/FMHY/wiki/%F0%9F%94%A7-Tools](https://github.com/fmhy/FMHY/wiki/%F0%9F%94%A7-Tools)
Simple static page development grunt setup https://github.com/micmro/grunt-simple-boilerplate
WiGPSFi – ESP8266 + GPS http://euerdesign.de/2016/04/16/wigpsfi-esp8266-gps/
Creepy Wireless Stalking Made Easy https://hackaday.com/2016/12/04/creepy-wireless-stalking-made-easy/
WarWalking With The ESP8266 https://hackaday.com/2016/10/23/warwalking-with-the-esp8266/
Windows 10 Wi-Fi Analyzer https://www.microsoft.com/en-us/store/p/wifi-analyzer/9nblggh33n0n
Code Review Questions:
Eric Farkas: http://ericfarkas.com/posts/questions-i-ask-during-code-review
thoughbot’s Code Review guide https://github.com/thoughtbot/guides/blob/main/code-review/README.md
Examples from StackExchange https://security.stackexchange.com/questions/tagged/code-review
Another https://productcoalition.com/code-review-questions-what-should-you-be-looking-for-e3f9c147baff
How to give a code review https://medium.com/better-programming/how-to-give-a-great-code-review-7e32e5ba0771
How to do code review (.NET) https://sites.google.com/site/wcfpandu/how-to-review-code
And wildly off-topic – but important – Patient Rights Advocate released its “Hospital Price Files Finder,” which it describes as “The first-ever free and publicly available search tool that allows consumers to view the available hospital pricing files from nearly all of the 6,000 hospitals throughout the U.S.” This collection of medical cost-of-service data is not easy to use. It seems like a data source for some innovative (and possible profitable) software development efforts. https://hospitalpricingfiles.org/

Other

Learn more about what your github repos can do for you: https://github.com/joelparkerhenderson/github-special-files-and-paths
Where are the power outages? https://poweroutage.com/ and https://poweroutage.us/
Fear & Greed Index https://money.cnn.com/data/fear-and-greed/
The best command line stock price grabber for a quick sanity check! Thank you Patrick Stadler. https://github.com/pstadler/ticker.sh
And another great-looking command line stock price grabber: curl https://terminal-stocks.herokuapp.com/SYMBOL. Thank you Shashi Prakash Gautam for your excellent server. https://github.com/shweshi/terminal-stocks
If you want to just grab a long history for any given security (through 2018-03-27), try https://www.quandl.com/api/v3/datasets/WIKI/symbol
Database of False or Misleading Claims By DJ Trump During his 4-Year Presidency (more than 30,000 of them) https://www.washingtonpost.com/graphics/politics/trump-claims-database/
Look into this simple mass Search & Replace tool (Rust): https://github.com/nvie/sr
Who pays for writing? Here is an annotated list of organizations that pay writers: https://github.com/malgamves/CommunityWriterPrograms
China Brief https://jamestown.org/programs/cb/
For some background on the expanding criminal industry of ransomware where criminal syndicates have evolved a “conveyor-belt-like process of hacking, encrypting and then negotiating for ransom in cryptocurrencies:” https://www.nytimes.com/2021/12/06/world/europe/ransomware-russia-bitcoin.html
For a primer on the sprawling People’s Liberation Army (PLA) Strategic Support Force that “centralizes information warfare capabilities in the cyber and space domains” from the U.S. Congressional Research Service see: China Primer: The People’s Liberation Army (PLA) (Updated December 21, 2022)
Online SVG Editor, SVGBob https://ivanceras.github.io/svgbob-editor/
SVG Python module https://github.com/orsinium-labs/svg.py
svgcleaner (Rust) is used to losslessly reduce the size of an SVG image – generally created in a vector editing application – before publishing https://github.com/RazrFalcon/svgcleaner. See also:
- SVGO (Python) https://github.com/svg/svgo
- Scour (JavaScript/TypeScript) https://github.com/scour-project/scour
MuseScore https://github.com/musescore/MuseScore and https://musescore.org/en/guitar
Chordious https://github.com/jonthysell/Chordious with related https://github.com/svg-net/SVG
DoD Cyber Workforce Framework - interesting way to describe roles https://public.cyber.mil/cw/dcwf/
Before donating to non-profits, do your research https://www.open990.org/org/
Satellite view of my weather http://re.ssec.wisc.edu/
High-resolution imagery via Earth Engine https://explorer.earthengine.google.com/#workspace
Remittances sent from United States to other countries in USD https://remittancesbycountry.site/country/united_states
Getting communications right is hard. Language is a foundational component. WordNet sometimes helps. https://en-word.net/ and https://github.com/globalwordnet/english-wordnet
Sometimes historical context matters when choosing a given term. Merriam-Webster hosts a neat tool that identifies when given words were first used. Look up any year to find out. From Merriam-Webster, https://www.merriam-webster.com/dictionary/ad%20hominem. Accessed 24 Oct. 2022
Webster’s 1913 Unabridged Dictionary at Project Gutenberg https://www.gutenberg.org/ebooks/29765
International Building Code, 2012, Second Printing. https://codes.iccsafe.org/content/IBC2012P12/chapter-1-scope-and-administration
ISO Country List https://www.iso.org/obp/ui/#search
Script that extracts character names from a text file and performs analysis of text sentences containing the names. https://github.com/emdaniels/character-extraction
The definitive list of lists (of lists) curated on GitHub https://github.com/jnv/lists
Mobile App Pentesting Cheetsheet https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet/blob/master/README.md
Free Programming Books https://github.com/vhf/free-programming-books/blob/master/free-programming-books.md
More Free Programming Books https://github.com/EbookFoundation/free-programming-books/blob/master/free-programming-books.md
Tool by Tool, Skill by Skill. By Simon St.Laurent http://chimera.labs.oreilly.com/books/1234000000882/index.html Especially Appendix B. Sharpening and Maintenance Basics. http://chimera.labs.oreilly.com/books/1234000000882/apb.html
Awesome Selfhosted. This is a list of Free Software network services and web applications which can be hosted locally. https://github.com/awesome-selfhosted/awesome-selfhosted
Awesome SysAdmin. A list of open source sysadmin resources. https://github.com/kahun/awesome-sysadmin
Awesome Data Science. A repository of resources to learn and apply for real world problems. https://github.com/okulbilisim/awesome-datascience
- And data from OurWorldInData for your experiments: https://github.com/owid/owid-datasets/tree/master/datasets
- Registry of Open Data on AWS https://registry.opendata.aws/
- 487+ Free Open Datasets from AWS: https://aws.amazon.com/marketplace…
Awesome R https://github.com/qinwf/awesome-R and https://awesome-r.com/
Managing risk in the context of a long time-horizon.
- See the “Global Risks 2014 - Ninth Edition” Insight Report from the World Economic Forum. http://www3.weforum.org/docs/WEF_GlobalRisks_Report_2014.pdf Especially part 2, pages 38-49. It is a short read on risks associated with – among other topics – the way the Internet is evolving, risks associated with “trust,” and “managing risk” in the context of a long time-horizon.
- Also: “Global Risks 2015 - Tenth Edition” http://www3.weforum.org/docs/WEF_Global_Risks_2015_Report15.pdf
- And more recently: “Global Risks 2016 - Eleventh Edition” http://www3.weforum.org/docs/GRR/WEF_GRR16.pdf
- And 2017: “Global Risks 2017 – 12th Edition” http://www3.weforum.org/docs/GRR17_Report_web.pdf
- And 2018: “The Global Risks Report 2018 - 13th Edition” http://www3.weforum.org/docs/WEF_GRR18_Report.pdf
- And 2019: “The Global Risks Report 2019 - 14th Edition” http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf
- And 2020: “The Global Risks Report 2020 - 20th Edition” http://www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdf or https://reports.weforum.org/global-risks-report-2020/
- And 2021: “The Global Risks Report 2021 - 21st Edition”http://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2021.pdf or https://www.weforum.org/publications/the-global-risks-report-2021/
- And 2022: “The Global Risks Report 2022 - 22nd Edition” http://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2022.pdf or https://www.weforum.org/publications/the-global-risks-report-2022/
- And 2023: “The Global Risks Report 2023 - 23rd Edition” http://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2023.pdf or https://www.weforum.org/publications/the-global-risks-report-2023/
- And most recently: “The Global Risks Report 2024 - 24th Edition” https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2024.pdf or https://www.weforum.org/publications/global-risks-report-2024/
A definitive list of tools for generating static websites https://github.com/pinceladasdaweb/Static-Site-Generators
The definitive list of newsletters to keep up to date on various web development technologies https://github.com/pinceladasdaweb/Upgrade-your-brain
hack-font for your development environment https://www.npmjs.com/package/hack-font
Big list of HTTP media types https://www.iana.org/assignments/media-types/media-types.xhtml
Open source, free textbooks: https://ocw.mit.edu/courses/online-textbooks/ and https://openstax.org/
WhitePages: https://www.therealyellowpages.com/Des-Moines-Regional-IA-2021/1/
and something completely different https://ir.uiowa.edu/annals-of-iowa/
The real cost of a car https://www.carboncounter.com/#!/explore
My favorite essay on bitcoin https://www.nytimes.com/2021/06/14/opinion/bitcoin-cryptocurrency-flaws.html
Architecture Patterns with Python, Enabling Test-Driven Development, Domain-Driven Design, and Event-Driven Microservices. (A Book about Pythonic Application Architecture Patterns for Managing Complexity.) By Harry Percival, Bob Gregory https://github.com/cosmicpython/book and http://shop.oreilly.com/product/0636920254638.do
An excellent first lesson on “Dockerizing FastAPI with Postgres, Uvicorn, and Traefik (and LetsEncript)” By Amal Shaji, 2021-05-04. https://testdriven.io/blog/fastapi-docker-traefik/

Projects associated with Novel Corona Virus - COVID-19

See: https://github.com/mccright/rand-notes/blob/master/Novel-Corona-Virus-COVID-19.md

cowyo is a self-contained wiki server that makes jotting notes - simple, easy and fast, but crude and it feels a little unfinished https://github.com/schollz/cowyo
Linx is a more full featured pastbin-like platform https://github.com/ZizzyDizzyMC/linx-server/

Broadly Reusable Advice

The world is brimming with uncertainties. If you don’t have a will, create one (do it now – you can always morph it later as needed). Under many circumstances you can start here for free: https://www.freewill.com/ (there are other systems that will help you prepare a basic will for free)
“One reason people insist that you use the proper channels to change things is because they have control of the proper channels and they’re confident it won’t work.” https://twitter.com/joncstone/status/1269961630940631041
On Being Fired https://third-bit.com/rules/#being-fired
Ten quick tips for delivering programming lessons https://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1007433
Ten quick tips for teaching programming https://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1006023
Jesse Duffield’s “Stuff I would tell my younger self” https://github.com/jesseduffield/wisdom/wiki
A Thesaurus of Job Titles to help “Improve the information flowing between recruiters and job seekers. Improve how recruiters and job seekers create job postings and resumes/online profiles. Improve how recruiters and job seekers search for candidates and jobs” https://github.com/johnpcarty/Thesaurus-of-Job-Titles
Ten simple rules for making research software more robust https://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1005412
You have the right to film police. Here’s how to do it effectively — and safely https://www.washingtonpost.com/technology/2021/04/22/how-to-film-police-smartphone/ and why it is important to do so https://www.washingtonpost.com/business/technology/a-cop-fires-a-teen-dies-yet-six-police-body-cameras-somehow-miss-what-happens
“Companies are hoarding personal data about you. Here’s how to get them to delete it.” https://www.washingtonpost.com/technology/2021/09/26/ask-company-delete-personal-data/
“The three fundamental Rules of Robotics”

One, a robot may not injure a human being, or, through inaction, allow a human being to come to harm. Two, a robot must obey the orders given it by human beings except where such orders would conflict with the First Law. Three, a robot must protect its own existence as long as such protection does not conflict with the First or Second Laws. [Isaac Asimov introduced these in his 1942 short story “Runaround” (included in the 1950 collection I, Robot) https://en.wikipedia.org/wiki/Three_Laws_of_Robotics]