cron.weekly issue #55: Commix, Trigger Happy, iocage, DNS, systemd-nspawn, ACME & more!November 20, 2016 - Mattias Geniar
Welcome to cron.weekly issue #55 for Sunday, November 20th, 2016.
Last week was a shorter edition and I even got confused with the versioning – but I’m making that up this week!
Plenty of new security tools and a vulnerable VM you can test them against, lots of open source news, an IFTTT open source alternative, querying JSON via the command line & many more interesting guides.
In the new game Watch Dogs 2, the main character installs a ‘backdoor’ using apt-get and shows the source code. Nerdy!
If you’re running applications in Bash on Windows, Microsoft has issued a warning (with lots of bold red text, so you know they’re serious) not to edit any Linux-related files with Windows applications. Hooray for consistent line-endings.
A new idea that might land into systemd: containers may be integrated into system services, allowing you to further isolate processes from each other.
Lots of follow-up has already been written on this topic, ranging from “this is just PR“, “Microsoft really does support Linux” to “Microsoft actually hates Linux“. I’ll leave the judging up to you. But if anything, it means more money for the Linux foundation to support more open source projects.
More background info on the recently disclosed vulnerability that you can press ENTER for 70 seconds to bypass disk encryption authentication. As usual, there are more nuances.
More projects are going to be open sourced and the existing ones are going to get more support.
The importance of open source in order to prove your worth as a developer, it can’t be underestimated.
Tools & Projects
With Datadog, you can see all your data in one place. See Amazon stats on your servers, as well as detailed numbers of your PostgreSQL, Elasticsearch, Node & other applications. Sign up for a free 14-day trial. (Sponsored)
Commix is an automated tool that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks.
Neet is a flexible, multi-threaded tool for network penetration testing. It runs on Linux and co-ordinates the use of numerous other open-source network tools, with the aim of gathering as much network information as possible in clear, easy-to-use formats.
Gmvault is a tool for backing up your gmail account and never lose email correspondence.
Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities, so you can test your pentesting skills.
Celery is an asynchronous task queue/job queue based on distributed message passing. It is focused on real-time operation, but supports scheduling as well. The changelog for the recently release 4.0 is quite impressive.
A new fork from the PuTTy SSH client on Windows with quite a few new features. If it continues to receive support, it may well replace PuTTy.
An open source clone of IFTTT.
iocage is a zero dependency drop in jail/container manager amalgamating some of the best features and technologies FreeBSD operating system has to offer. It is geared for ease of use with a simple and easy to understand command syntax.
Rocker breaks the limits of Dockerfile. It adds some crucial features that are missing while keeping Docker’s original design and idea.
Guides & Tutorials
Lots of history in this post about the select(2) system call and how epoll, iocp and kqueue have built upon that.
In a MySQL master/slave or master/master replication, some queries can stop your replication altogether. These commands allow you to ‘skip’ a replication-breaking query. Warning though: at that point, your nodes may be in an inconsistent state.
Lots of in-depth info for those running Nodejs application where garbage collection can cause problems and how that works internally.
This guide shows some practical examples of handling json data at the command line. By nature, it isn’t very easy to use with awk/grep/sed, so jq parses the json and allows you to query for individual fields.
An interesting approach: using Graylog to collect and analyse all DNS requests on a network for security research purposes.
A guide to show how you can use systemd-nspawn to run simple containers, together with some examples to create containers. systemd-nspawn seems quite powerful, actually.
Getting Let’s Encrypt certificates for a single server or site is quite easy, but handling a multi-server environment and getting certificates managed over multiple nodes poses its challenges. This post introduces a few methods of keeping those certificates in sync.
Another parody of the SUSE team: this team remaking Rage Against The Machine’s popular “Killing in the name of”. The other videos in that channel are worth a check, too.