Jekyll2023-03-28T18:08:35+00:00http://cspub.net/feed.xmlStanislav MekhonoshinWrite an awesome description for your new site here. You can edit this line in _config.yml. It will appear in your document head meta (for Google search results) and in your feed.xml site description.HTB Antique machine review2023-03-28T18:04:00+00:002023-03-28T18:04:00+00:00http://cspub.net/2023/03/28/htb-antique-machine-review<p>Another easy machine. After a long break in CTFs I prefer to have a warmup with the easiest machines. It helps me to get back an offensive mindset and refresh my tooling and shortcuts.</p>
<p>Antique is just another x86 box that mimics an HP JetDirect printer.
As usually it all starts with a good enumeration, don’t forget that UDP exists ;)
A quick googling for default printer creds should lead you to SNMP data exposure.
Reverse shell and user flag is in front you.</p>
<p>Privesc took a bit more time, and I’ve completely overlooked the intended way.
Eventually I’ve just used an exploit for CVE-2021-4034 because linpeas told that the machine was vulnerable. But later when reviewing the official walkthrough I realized that I didn’t check a CUPS daemon running on the machine.</p>
<p>The intended way is much more interesting, because it involves tunnelling in order to access the CUPS admin interface which is running on localhost. Unfortunately it doesn’t provide a way to get a root shell just an arbitrary file read as a root. So my unintended way of privesc was even more effective because I got the root shell.</p>
<p>Anyway, I enjoyed this box and it did a good job for me. Refreshing my skills and knowledge feels damn good!</p>Another easy machine. After a long break in CTFs I prefer to have a warmup with the easiest machines. It helps me to get back an offensive mindset and refresh my tooling and shortcuts.HTB Squashed machine review2023-03-28T18:00:00+00:002023-03-28T18:00:00+00:00http://cspub.net/2023/03/28/htb-squashed-machine-tips<p>This post starts a series of reviews of machines available at HackTheBox.</p>
<p>Even though I haven’t approached HTB for a long time I managed to hack it without looking into walkthroughs. Nice and easy machine.</p>
<p>The foothold is straightforward. Just run nmap and it will point you to the service that has almost zero security controls. If you don’t remember how to enumerate it, then <a href="https://book.hacktricks.xyz/welcome/readme">HackTricks</a> has everything you need. Enumerate, poke both endpoints and see what you can do with it. The rest is standard, reverse shell and you have the user!</p>
<p>On privesc stage I almost got into a rabbit hole, but thanks to the gut feeling that I stopped digging it deeper. Also, retired HTB machines now have some kind of tags on machine information tab. Not sure if that is something common, but in this specific case one keyword brought my attention. I went through the enumeration process one more time and spotted an unusual file at user’s directory.</p>
<p>Thanks to an old good article on Linux hacking, that explained unknown concepts and led me into the right direction https://www.hackinglinuxexposed.com/articles/20040513.html.
The rest of the clues I found again at HackTricks website.</p>
<p>XWD to the rescue! Rooted!</p>This post starts a series of reviews of machines available at HackTheBox.Building Linux From Scratch on Raspberry Pi 12023-03-22T15:53:00+00:002023-03-22T15:53:00+00:00http://cspub.net/2023/03/22/building-lfs-on-raspberry-pi<h3 id="what-is-lfs">What is LFS?</h3>
<p>Linux world is huge. There hundreds, maybe even thousands of distros available on the internet. For a long time I enjoyed trying new distros and every time learning something new.
But LFS always seemed to be complex and time consuming experience, something that requires non-trivial skills. Because of that it has been in my learning todo list for a long time.</p>
<p>If you are not familiar, LFS is not a real distro. In reality it is just a cook book that describes the process of building your own distro step by step. The sweet part is that you don’t use any prepared packages, but build everything from the sources. Sounds similar to Gentoo, right? But LFS goes further, it does not provide you a package manager like Gentoo. You have to download a vanilla tar.gz archive from developer’s website for each tool that you will install. If the package needs some security patch, you again apply it manually.</p>
<p>And then the magic happens: <strong>./configure && make && make install</strong></p>
<h3 id="lfs-flavors">LFS flavors</h3>
<p>If you visit LFS website, you will also discover that BLFS and ALFS exist. The idea is that after building LFS you get a very basic Linux system, something like Debian minimal but much simplier. So no UI, just bare minimum of CLI tools.</p>
<p>For those brave souls, who wish to build a feature rich system the <a href="https://www.linuxfromscratch.org/blfs/view/stable/">BLFS(Beyond LFS)</a> project exists. It aims to add UI and a bunch of essential software.</p>
<p>Another use case for LFS is building a minimal purpose driven distro for embedded systems. Developers of such systems need automation that allows to get reproducible builds without human intervention. So <a href="https://www.linuxfromscratch.org/alfs/">ALFS</a> project solves this problem by providing the tooling for continuous bulding.</p>
<h3 id="pilfs">PiLFS</h3>
<p>To get more fun I have chosen PiLFS project instead of vanilla LFS. The main difference is that PiLFS is oriented on Raspberry Pi Arm boards, so it requires some extra tricks and tweaks to make it work. I grabbed my old 1st generation Raspberry Pi and started reading the LFS book in parallel with PiLFS website.</p>
<p>Luckily there are not that many differences between LFS and PiLFS, most of the time I followed the original LFS book and just had to make minor adjustments for PiLFS.</p>
<h3 id="the-plan">The plan</h3>
<p>Probably at this point you are curious how does the build process look like? I don’t want to repeat the contents of the LFS book, so will just share a short and rough plan of the whole process for those who are curious.</p>
<ul>
<li>Prepating for the build
<ul>
<li>Making partition</li>
<li>Downloading packages</li>
<li>Compiling tools</li>
</ul>
</li>
<li>Building LFS toolchain and temporary tools</li>
<li>Switching to chroot environment</li>
<li>Building the system
<ul>
<li>Installing packages</li>
<li>Setting up boot scripts</li>
<li>Compiling kernel</li>
</ul>
</li>
</ul>
<p>In order this plan to be executed you need to satisfy several prerequisitives. First of all you need a working Linux system that has a set of required build tools. This system should run on the same architecture as your future LFS system. In my case I used a <a href="https://intestinate.com/pilfs/">base system</a> from PiLFS that has all build tools and runs on ARM boards. But generally any of Linux distros with some extra packages would work for this purpose.</p>
<p>The whole process starts with creating a separate partition on your disk and mounting it to the host system. You download all required sources there. All the work will happen on that partition, so it’s always worth having a backup.
Then you start building a temporary toolkit on your host system. That toolkit will be used for building the final system itself.
When you are done with the first phase of compillation, you switch into chroot environment from the host system and finalize the build there.
As a result you have a full Linux system placed on the separate partition, and it becomes just a matter of changing the boot process to start your new system.</p>
<h3 id="my-experience">My experience</h3>
<p>First of all I have to admit that picking Raspberry Pi 1 was a brave decision, taking into the account its CPU power. It took around 300+ hours to compile the system.</p>
<p>Secondly, following PiLFS way wasn’t absolutely smooth process. Unfortunately some ARM specific packages and patches were not available or moved to other locations on developer websites. So it took a while to figure out where to get the required archives.</p>
<p>Thirdly, PiLFS offers a couple of scripts that automate the routine of compiling packages. Basically the installation of any package involves the following steps:</p>
<ol>
<li>Extract the archive</li>
<li>Apply patches if needed</li>
<li>Run ./configure</li>
<li>Run make</li>
<li>Run make install</li>
</ol>
<p>There are tens or even hundred of such packages required for LFS, so PiLFS scripts simplified the process significantly. Without them it would take much more of my time to build everything, because I would have to perform those routinous operations for every package manually. But don’t treat it as a cheating! There is a plenty of manual work that is more important for the learning process and not automated at all.</p>
<p>Together with reading the book, writing notes and reading extra materials it took a bit more than one month to finally complete the system. I intentionally didn’t hurry with the process and tried to read and learn as much as I can.</p>
<h3 id="the-main-benefit">The main benefit</h3>
<p>So, you might ask, did it worth it? Why should someone spend tens or hundreds of hours on building just another linux distro? Where is the payback?</p>
<p>From my perspective experience and knowledge is the major benefit that LFS brings to the most of engineers. Unless your work project requires a custom distro, the only purpose of building LFS is unvaluable learning process. It is possible to build an LFS in speed run mode, by just copy and pasting the commands from the book in order to get the final system as soon as possible. But it should not be your goal if you eager to get the most from the process. The final system is extremely simple, has the most basic functionality and no practical use cases. I personally booted the final system just once, to make sure that it works.</p>
<p>On the other hand, while you go through the book you will most probably read about multiple different concepts that are unfamiliar for you. I encourage everyone to spend time and read all those extra materials and make notes in meanwhile. Many thanks to the book authors who added lots of links to other reading materials. They are not a part of the book and can be easilly skipped, though that’s where the most of value is hidden.</p>
<ul>
<li>Most probably you have heard about <a href="https://pubs.opengroup.org/onlinepubs/9699919799/">POSIX</a> standard, but have you wondered what is included there? Have you ever read the specification document itself?</li>
<li>Or do you know why <a href="https://refspecs.linuxfoundation.org/FHS_3.0/fhs/index.html">Linux filesystem</a> has the structure that it has? What is the conceptual difference between <em>/bin</em> and <em>/sbin</em> folders?</li>
<li>What is the difference between interactive and non-interactive, login/non-login bash shells?</li>
</ul>
<p>These are just sample questions that can pop up during build process. That knowledge is not essentially required for LFS process, but those are fundamental concepts that many of us are not aware. Just think about it, in the recent decade cloud became a thing, old-fashioned SysAdmins were replaced by DevOps, but Linux is still the same fundametal layer that runs most of the modern internet. Investing in fundamental knowledge and skills is probably the best what you can do with your free time.</p>
<p>I personally learned a lot, but also I collected a huge list of topics where I have gaps in my knowledge. So crossing one item from the learning list brought a dozen of others.</p>
<p><em>“The more you know, the more you realize you don’t know.”</em> - LFS once again confirms that it is truth.</p>What is LFS?SMB security program checklist2023-03-14T21:00:00+00:002023-03-14T21:00:00+00:00http://cspub.net/2023/03/14/smb-saas-security-checklist<p>For most of my career, I’ve been working on public web applications. Even when I switched to the security domain the type of the companies remained the same.
Imagine a SaaS company that develops its custom software, runs it in the cloud, and operates fully remotely. That’s where most of my experience is.</p>
<p>Usually, such startups don’t care much about security, at least in the early and mid stages. They have little or no dedicated security staff and just rely on developers’ experience and common sense. Such an approach can work fine for a while, but eventually, the technical debt has to be paid.
When the company grows, new people join and new teams emerge it becomes hard to rely on common sense. The more codebase and infrastructure changes happen, the harder it is to be aware of the potential risks that they bring.</p>
<p>But security scope is not limited just by application and infrastructure code. A lot of issues reside in the way how companies perform their day-to-day operations. This area of security may sound like a bureaucracy, but it is inevitable evil if you want to protect the business.</p>
<p>So instead of patching random findings here and there, it is much better to have a structured plan. This plan is called a Security Program.</p>
<h2 id="when-security-program-is-important">When security program is important?</h2>
<ul>
<li>To work with enterprise customers. Such clients usually take security seriously and tend to assess and request certifications from their service providers.</li>
<li>If the company processes some sensitive medical or financial data.</li>
<li>In case of any confirmed data breach or other security incidents. The importance of security becomes clear when it is too late.</li>
</ul>
<h2 id="cybersecurity-frameworks">Cybersecurity frameworks</h2>
<p>To define the structure of the security program there are multiple different cybersecurity frameworks: e.g. NIST, CIS, ISO 27001/27002, SOC2, HIPAA, and others.
They are usually complex, broad in scope, and can take a lot of resources for full adaption. Though they all share the same goal - provide standards, guidelines, and best practices to manage risks in a digital world.</p>
<p>If you plan to pass some security audits and get certification then it is worth getting familiar with the framework of your choice. But if your intention is just to make the first steps in the implementation of a security program, then probably the better idea is to stick to some generic security checklist and avoid spending your limited resources on an overwhelming framework implementation.</p>
<h2 id="smb-security-checklist">SMB security checklist</h2>
<p>For those who are looking for a SaaS company security checklist, here is my choice of action items that you should focus on before diving into any cybersecurity framework. It is not an exhaustive list, some items can be missing, so the post will be continuously updated.</p>
<p>Each of these items deserves a separate blog post, so subscribe to my <a href="https://www.linkedin.com/in/stanislav-mekhonoshin-b3088953/">LinkedIn</a> or <a href="https://twitter.com/stasik_mexx">Twitter</a> to get updates ;)</p>
<ul>
<li>Services inventory</li>
<li>Secrets inventory</li>
<li>Access Matrix</li>
<li>Offboarding checklist</li>
<li>WAF for public endpoints</li>
<li>Network segregation</li>
<li>VPN solution</li>
<li>Centralized logging</li>
<li>SIEM</li>
<li>SAST toolkit</li>
<li>Supply chain management</li>
<li>Vulnerabilities scanning</li>
<li>Password manager/Disks encryption/Screen locks/AV on workstations</li>
<li>Security awareness training</li>
<li>Annual pentest</li>
<li>Risk assessment</li>
<li>Quarterly security audit</li>
<li>Bug bounty program</li>
<li>Security Champions program</li>
</ul>For most of my career, I’ve been working on public web applications. Even when I switched to the security domain the type of the companies remained the same. Imagine a SaaS company that develops its custom software, runs it in the cloud, and operates fully remotely. That’s where most of my experience is.Developer to Security Engineer career pivot2023-03-04T18:32:00+00:002023-03-04T18:32:00+00:00http://cspub.net/2023/03/04/career-switches<p>As I described in the <a href="https://cspub.net/2023/02/28/smartvpn.html">previous post</a>, some events might have a powerful influence on our lives and careers.
And today I’d like to share the experience of a major pivot in my IT career. Probably it is one of the most significant points throughout those 14 years.</p>
<p>The first major event happened was when I initially switched from a System Engineer to Software Developer. Both times I just followed my gut feeling and curiosity.
My first paid job in IT was a System Engineer role at the <a href="https://www.cs.vsu.ru/">university where I studied</a>. It involved the management of multiple web, file, and gateway servers running on Linux. I also had to deal with some network equipment, which were HP L2 and L3 devices. Close to the graduation date I got interested in programming and Ruby specifically. So I have never really lost my interest in Linux and system administration, but rather strongly focused on software development for multiple years.
Many thanks to <a href="https://evrone.com">evrone.com</a> who took me on board and provided a lot of opportunities to learn.</p>
<p>Since 2010 for almost 10 years I’ve been working as a Software Engineer. It was mostly backend development with Ruby programming language.
At some point, I felt that I can do more than just regular programming. I started extending and diversifying my skill set so I’ve also studied and passed an exam for <a href="https://www.scrumalliance.org/community/profile/smekhonosh">Certified Scrum Master</a> title.
This knowledge was very useful for my job at <a href="https://toptal.com">Toptal.com</a> where I had an opportunity to coach and train development teams to adapt Scrum company-wide.
In the meanwhile, I’ve been also coaching junior engineers in programming Ruby and software development in general at <a href="https://mkdev.me/en/mentors/Mehonoshin">mkdev</a>.</p>
<p>Several years later I felt bored again. Even though I enjoyed improving development processes in the company, I still loved programming, so I had some concerns about switching to the pure leadership ladder which was available in the company. I felt that I want to stay close to the implementation details, and get my hands dirty from time to time. Overall I was concerned about my hard skills, I didn’t want to completely forget how to program and do engineering management instead. And at some point, I accidentally learned about <a href="https://hackthebox.com">HackTheBox</a>. No idea why I was not aware of CTFs existence before.</p>
<p>That moment completely changed my life. I fall in love with CTFs and spent the next year working on boxes there. With all my programming and sysadmin experience I got endless opportunities to learn about different vulnerabilities and attack techniques. I passed through around 100 retired machines on HTB and then switched to <a href="https://www.credly.com/badges/924302ad-99cf-4aaf-9d68-a317c4444f96/public_url">Offensive Security OSCP exam</a> preparation. In addition to OSCP course material and lab, I’ve also passed most of the available machines on OffSec’s <a href="https://www.offsec.com/labs/">Proving Grounds</a> at that moment.
At the same time, I switched my work position to Security Engineer within the same company. Many thanks to <a href="https://www.toptal.com/">Toptal</a> team for that opportunity.</p>
<p>All those events led me to a completely new work approach. I don’t write much code these days, though I still read it a lot. Even though I’ve started my security journey from the offensive side, I mostly focus on the defense. My goal is to improve company work processes to make them safer, introduce security in developers’ minds and align with different security audits. At Toptal our team used to be called SecOps, at Hubstaff I lead the DevSecOps team. But in both cases, I had to deal with a broad variety of activities, from reviewing application code to dealing with external security auditors. Technology-wise every new day brings new challenges that I enjoy so much!</p>
<p>In a summary, I’d like to encourage everyone to listen to their gut feeling and do not afraid to change their professional focus. The IT industry is huge and gives you endless opportunities in different domains.
Whatever you had been doing before, try to leverage your experience for the great good. Everyone deserves a job that brings joy, and you can make it happen.</p>As I described in the previous post, some events might have a powerful influence on our lives and careers. And today I’d like to share the experience of a major pivot in my IT career. Probably it is one of the most significant points throughout those 14 years.SmartVPN - the power of pet projects2023-02-28T18:56:00+00:002023-02-28T18:56:00+00:00http://cspub.net/2023/02/28/smartvpn<p>Almost ten years ago I unintentionally have started my own small business. It was a VPN service same as many others on the market.</p>
<p>Back in those days I used to run my personal OpenVPN server on <a href="https://m.do.co/c/b2b97fca2fc1">DigitalOcean</a>, and my friends were constantly asking for new accounts.
It was pretty annoying to generate configuration files for everyone, so I decided to check if it’s possible to manage OpenVPN users automatically. This way I <a href="https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/">learned</a> that OpenVPN server is able to run shell commands on specific events, for example when the user authenticates, connects or disconnects.
My first thought was, what if OpenVPN runs some script that checks if the credentials are valid? And the first proof of concept work that way for some time.</p>
<p>But when you have a power to run scripts, you can go beyond as far as your imagination takes you, right?
That’s how the idea of building OpenVPN billing software came to my mind.</p>
<p>Those days I’ve been working as backend Ruby developer at <a href="https://evrone.com/">Evrone.com</a>. It was a great job where I learned a lot, but I already had a fear of missing out. There were so many different technologies and approaches that I didn’t have a chance to use on my work project. So I decided to fill those gaps with my pet project.</p>
<p>Eventually I’ve built an OpenVPN server wrapper and a compatible billing web application for VPN service. I’ve been running that service for a couple of years, though I treated it as a pet project with real users. But what was more important I learned a lot working on it.
Whenever I wanted to learn some new technology - I used it in my project. Golang, ZeroMq, Chef, Vagrant, whatever. I had a power to bring any technology to the project and play with it.
Such flexibility in technology stack made it very different from my daily job, that brought me real money.
I still strongly believe that most of my technical growth those days came from the experience that I got working on SmartVPN.</p>
<p>At the end, when I changed my job I decided to shutdown the project. I was too busy with new responsibilities and had no more time to support it, so eventually I lost any interest to the project.
But shutting it down silently seemed too boring, so I decided to opensource the platform, so that anyone can learn how it worked and use it for their good. That’s how <a href="https://github.com/Mehonoshin/smartvpn-billing">Mehonoshin/smartvpn-billing</a> was born.</p>
<p>I also posted a couple of articles for Russian audience where I shared my experience.</p>
<ul>
<li><a href="https://habr.com/ru/post/261295/">Opensourced VPN billing</a></li>
<li><a href="https://habr.com/ru/post/262843/">Why being VPN provider is hard?</a></li>
</ul>
<p>I didn’t imagine that they will get so much attention as they did. I got multiple offers to partner and keep it running, but rejected all of them because wanted to focus on the new job.
To be honest today when I look at VPN market I feel a bit sad. Many different VPNs emerged in the last ten years but all of the features that they offer were available at my SmartVPN, or at least they were planned in the roadmap.</p>
<p>Funny thing, I still occasionally get emails from people who want to setup SmartVPN on their infra. So later I even did an attempt to wrap everything into docker and make the setup process as smooth as possible.</p>
<p>Summing up this story, here is what I learned from this project:</p>
<ul>
<li>Pet project is one of the best ways to get new skills</li>
<li>Don’t be shy and share your experience and code</li>
<li>Business skills are important, even if you are just a developer</li>
<li>Some ideas become a thing years later</li>
</ul>Almost ten years ago I unintentionally have started my own small business. It was a VPN service same as many others on the market.ScrumAlliance Certification2019-05-26T14:22:00+00:002019-05-26T14:22:00+00:00http://cspub.net/2019/05/26/scrumalliance-certification<p>I’m happy to announce, that I’ve passed an exam for Certified ScrumMaster title.</p>
<p>If someone is interested you can find my profile at <a href="https://www.scrumalliance.org/community/profile/smekhonosh">ScrumAlliance website</a>.</p>
<p><a href="https://www.scrumalliance.org/community/profile/smekhonosh" target="_blank">
<img src="/assets/images/csm_certificate.png" alt="CSM" />
</a></p>I’m happy to announce, that I’ve passed an exam for Certified ScrumMaster title.2018 recap2018-12-31T09:36:00+00:002018-12-31T09:36:00+00:00http://cspub.net/2018/12/31/2018-recap<p>Today is the last day of 2018. A good moment to summarize what I’ve been doing during this year.</p>
<p>Most of my activity was on Github, so this image will provide more information than any words:</p>
<p><a href="https://github.com/Mehonoshin" target="_blank">
<img src="/assets/images/github_2018.png" alt="Github" />
</a></p>
<p>Happy New Year, folks!</p>Today is the last day of 2018. A good moment to summarize what I’ve been doing during this year.Idea: A place where developers and non-profits meet2018-10-12T08:44:00+00:002018-10-12T08:44:00+00:00http://cspub.net/2018/10/12/idea-a-place-where-developers-and-non-profits-meet<p>If you wonder what I’ve been doing for the last year besides my primary job in Toptal.com, then this post if for you.
Since the beginning of Q2 2018, I’ve been leading the development of <a href="https://givemepoc.org">givemepoc.org</a>.</p>
<p>The idea of this project came up to my friend and me when we have been discussing the problem, that there are a lot of
junior developers who struggle to find a job because they don’t have enough experience and as a consequence, they can’t pass
interviews in many companies. On the other hand, we believe there are a lot of people who do
not know anything about software development but have great ideas for projects.</p>
<p>Basically, this is the core model of the project. It should connect these two parties and provide useful tools to make the development
more efficient.
As an output, we provide MVPs for proposed ideas, experience for developers or even formed development teams, which can be hired by companies.</p>
<p>The whole project is entirely non-profit, nobody gets a reward for the participation in the project, and the most valuable asset is the experience.</p>
<p>Personally, I was doing a lot of leadership activities in addition to product management work. My primary responsibilities included:</p>
<ul>
<li>planning product roadmap</li>
<li>leading the engineering team</li>
<li>training newcomers</li>
<li>designing technical architecture</li>
<li>adopting Scrum</li>
</ul>
<p>Besides obvious leadership experience, I’ve learned that working with junior-level developers requires a bit different focus,
since most of them don’t follow the best practices of development, that are widely adopted across many engineering teams.
As a result, we collected a pool of ideas for tools, that can improve the effectiveness of any team.</p>
<p>For example, we should check the format of git branch names and PRs. If you do it manually, it becomes annoying, since every newcomer does not
pay attention to it. To prevent this routine we can automate this process, so mentors will only pay attention to the implementation of the task
bypassing bureaucracy checks.</p>
<p>If you are interested in such ideas or even the project in general, then feel free to look at our <a href="https://github.com/howtohireme/give-me-poc/issues?q=is%3Aopen+is%3Aissue+label%3ABots">list</a> of features.</p>
<p>At the moment I put my activity in this project on hold, since we don’t have enough engineers to move it further and doing everything by myself is quite exhausting.</p>
<p>But anyway we welcome any volunteers who might want to help the project.</p>If you wonder what I’ve been doing for the last year besides my primary job in Toptal.com, then this post if for you. Since the beginning of Q2 2018, I’ve been leading the development of givemepoc.org.Rename entity across Rails project2018-08-25T12:59:00+00:002018-08-25T12:59:00+00:00http://cspub.net/2018/08/25/rename-entity-across-rails-project<p>Today while working on my open source project <a href="https://github.com/howtohireme/give-me-poc">givemepoc.org</a> I faced a situation,
when I needed to replace <code class="language-plaintext highlighter-rouge">Developer</code> and <code class="language-plaintext highlighter-rouge">developer</code> entity with <code class="language-plaintext highlighter-rouge">Mentor</code> and <code class="language-plaintext highlighter-rouge">mentor</code>
across the whole project.</p>
<p>I use vim for my daily development, and it didn’t have such tools installed. Most probably
RubyMine or some other IDE can offer such functionality, but I decided to follow Unix way
and find some useful command line utility.</p>
<p>After googling, I found two snippets, which can solve my problem.</p>
<ol>
<li>The first one has an excellent explanation in the <a href="https://isaacsukin.com/news/2013/06/command-line-tip-replace-word-all-files-directory">blog</a>.
We need to run, and it will replace the required keyword across all files.</li>
</ol>
<p>But pay attention to your <code class="language-plaintext highlighter-rouge">.git</code> folder, because you can easily break it, as I did :-D</p>
<p><code class="language-plaintext highlighter-rouge">grep -lr -e "developer" . | xargs sed -i '' -e 's/developer/member/g'\n</code></p>
<ol>
<li>The second snippet renames your files and directories since we have just changed the contents of files with the first command.</li>
</ol>
<p><code class="language-plaintext highlighter-rouge">find . -name '*developer*' -exec bash -c 'mv $0 ${0/developer/member}' {} \;</code></p>
<p>Of course, these tools do not provide you smart refactoring functionality, as most of the IDEs can.
But they are fast and such renamings do not happen often, they should not happen at all if you pick suitable namings for your entities.</p>Today while working on my open source project givemepoc.org I faced a situation, when I needed to replace Developer and developer entity with Mentor and mentor across the whole project.