cron.weekly issue #103: pack, SSLStrip, gping, Kubernetes, Vagrant, MySQL, SSH & moreOctober 29, 2017 - Mattias Geniar
Welcome to cron.weekly issue #103 for Sunday, October 29th, 2017.
This issue is especially heavy in the tools & guides section, a little less news this time. Oh, and Ask cron.weekly is back! And there are videos! And cats!
OK, no cats – but the rest is true. Go to your local bakery (tell’m cron.weekly sent you), buy a croissant, grab a coffee & sit back and relax.
This post gives a very good basic intro to SSL/TLS in HTTPS, how “SSL Stripping” works (a better name would be “SSL preventing”, but it isn’t as catchy I suppose) and how solutions like HSTS prevent that.
A trip down memory lane, with the history of xz/tar/gzip/… all the way down the ‘pack’, and it goes on to explaining the benefits & drawbacks of pack. Did you know it can’t compress a file if it only contains single-character content, like ‘aaaa‘? Fascinating!
Here’s a weekly newsletter that digests last week’s infosecurity news into a shortlist of useful articles. It reports on events like new large-scale attacks, exploits, new security features and just interesting infosec articles. (Sponsored)
Tools & Projects
Go from a global view of your infrastructure to inspecting an individual request trace, all in one developer-friendly platform. Start a free 14-day trial. (Sponsored)
A linting tool for the web: sonar is a linting tool that analyzes the code for a wide range of issues, including related to coding errors, performance, accessibility, security, Progressive Web Apps (PWA), and interoperability. Sonar can be used as a command line tool or via an online version.
A game of roulette: any time you type any remotely incorrect command, the interpreter creatively resolves it into rm -rf / and wipes your hard drive. How long can you last?
A buddy for babies. Helps caregivers track sleep, feedings, diaper changes, and tummy time to learn about and predict baby’s needs without (as much) guess work.
Pretty sure I covered this one already, but worth repeating: HTTPie is a modern command line HTTP client – user-friendly curl alternative with intuitive UI, JSON support, syntax highlighting, wget-like downloads, extensions, etc.
Gping is like regular ping, but with a graph.
pingfs is a filesystem where the data is stored only in the Internet itself, as ICMP Echo packets (pings) travelling from you to remote servers and back again.
riot is a full text search engine, written in Go.
PyRexecd is a standalone SSH server for Windows, written in Python.
nuclio — “Serverless” for Real-Time Events and Data Processing.
This is a C language Postgres extension that provides Bitcoin blockchain functionality.
Guides & Tutorials
GoCD is a continuous delivery tool specializing in advanced workflow modeling and dependency management. It lets you track a change from commit to deploy at a glance, providing superior visibility into your workflow. It’s open source, free to use and download. (Sponsored)
Lots of clever tips in this post when you ever want to look at 10GE NICs and identify bad DNS traffic, there are lot of things to keep in mind when working at such bandwidth scales.
Tips on CPU & memory limitations, running multiple versions, snapshots, persistent storage, … when using Vagrant to manage your virtual machines.
This seems to cover all the essentials with ready-to-use CLI snippets: service discovery, health checks, pods, deploying, …
Some more fuzzy matching fun: fzf is a command line tool that allows you to interactively filter its input using fuzzy searching. fd sends the paths of files in a directory tree to standard output. Together, you can use fzf and fd to quickly find files and change directories.
This post introduces “systemtap”, which allows you to overwrite kernel functions and hook in additional logic of your own. Not sure where I’d use it, but if you ever want to wreck your kernel, this seems like a fun way to do it!
Another good one for performing point in time restores of a MySQL database, using clever MySQL replication & binary logs.
The concept of a “Merkle Tree” is everywhere, from bitcoin to IPFS to failover & quorum resolution, this post gives an easy-to-understand intro to help get you familiar with the concept.
Did you know that when you’re using OpenSSH from the command line you have a variety of escape sequences available to you? SSH somewhere, then type “~” and “?” (tilde, then question mark) to see all the options.
If you read the URL, the original title was “the sad state of Linux socket balancing”. It’s a solid intro into different load balancing mechanics & their pro’s & con’s.
A practical guide on securing your own server with Let’s Encrypt certificates using Nginx.
Right, we have a forum! It’s died a bit with little to no posts, but once in a while a good question arrives. So remember, if you’re stuck with something, it can wait a week for a newsletter appearance & there’s no one else left, ask the cron.weekly listeners!
I’m a sysadmin and I’m evaluating if I should study AWS, GCP or OpenStack for my future career cloud’s need. I would like to study OpenStack client-use for public cloud, but I don’t want to waste my time in a technology that could be dropped for my purpose. What should I do?
Many of the DEF CON 25 security conference videos are starting to appear online, from crypto to drone hacking to foss tools.
“systemd at facebook, a year later”: I haven’t seen this video yet, but it’s an interesting topic from one of the giants. Hoping to get a lot of lessons learned out of this.
Another video from CCC, offering an intro to cgroups, what’s the difference between v1 and v2, the new features & what’s planned ahead.