Welcome to cron.weekly issue #85 for Sunday, June 18th, 2017.

No time for intros, too much content to share! Enjoy!

News

Linux trojan targeting Raspberry Pi’s

As soon as any install base becomes big enough, it’ll be a target for exploitation. If you run a Raspberry Pi, make sure to get all the latest patches.

How is GNU `yes` so fast?

Talk about micro-optimizations! This post explores the differences in throughput of the `yes` command, comparing multiple implementations.

SQLite is 35% faster than the filesystem

Wait, what? There are a lot of optimizations built into SQLite, this post explores how it’s possible that write I/O in SQLite surpasses that of the disk itself.

Systemd falls back to Google nameservers when no nameservers are configured

There was quite a bit of controversy around this last week, which resulted in this bugreport: if a server is configured without nameservers, systemd falls back to using Google’s public resolvers. Queue the usability vs. privacy vs. security debate.

sshcheck

This project analyses your (publicly available) SSH server and proposes changes for improved security (cipher suites, key exchanges, public keys, …).

Notes on open-sourcing abandoned code

This post explores an interesting question: if software or operating systems go end of life, should their source code be open sourced?

200% ROI on Open Source Participation

The World Bank has published a case study around the benefits of investing in open source. Their conclusion? It’s said to give a 200% return on investment due to community contributions!

Your interpreter isn’t safe anymore — The PHP module rootkit

Instead of writing a kernel module that acts as a backdoor, this post describes how you can build a PHP extension to do some of the same things, intercepting function calls. This technique will work on lots of languages that allow dynamic extensions to be loaded.

Security Newsletter: curated security news

Get last week’s security news condensed to about 10 items worth knowing about. (Sponsored)

Curl doesn’t spew binary anymore

Well, at least after your OS’s packages have been updated. The latest release of curl will check if you’re sending binary data to your terminal (tty) and prevent that from happening, as it’s usually a file/binary download that should’ve been saved on disk, instead of outputted to your screen.

Enhancing the security of the OS with cryptography changes in Red Hat Enterprise Linux 7.4

The next RHEL and CentOS release (7.4) are going to change quite a few things for the better, but you should be aware if you still have legacy appliances talking legacy crypto protocols. This post explains what protocols are being removed (SSL2, SSHv1, RC4, …).

Full Stack Fest 2017: Problems of today, wonders from the future.

Are you a curious mind? Full Sack Fest is a week-long conference based in the amazing city of Barcelona that peeks into the web of tomorrow! Serverless, Blockchain, WebVR, Distributed Web, Progressive Web Apps… Come and see. Early bird tickets available! Use CRONWEEKLY to get 10% off! (Sponsored)

Tools & Projects

Datadog: all your infrastructure, in one place

Track & alert on the health and performance of every server, container, and app in any environment, with Datadog. Sign up for a free 14-day trial. (Sponsored)

comdb2

Comdb2 is a clustered RDBMS built on Optimistic Concurrency Control techniques. It provides multiple isolation levels, including Snapshot and Serializable Isolation. Read/Write transactions run on any node, with the client library transparently negotiating connections to lowest cost (latency) node which is available.

bingrep

Greps through binaries from various OSs and architectures, and colors them.

salt-scanner

A Linux vulnerability scanner based on Vulners Audit API and Salt Open, with Slack notifications built-in.

frp

A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.

bagpipe

Bagpipe enables Autonomous System (AS) administrators to verify policies for their BGP router configurations. Bagpipe enables ISP administrators to express BGP policies in a domain-specific specification language and verify that the ISP’s router configurations implement these policies.

reredirect

reredirect is a utility for taking an existing running program and attaching its outputs (standard output and error output) to files or another process. Using reredirect, you can log output of a already launched process, redirect debug output of a background process to /dev/null or to a pager as if you launched it with > or |.

Tails 3.0

Where Debian 9 isn’t officially released yet, the Tails (privacy focussed) operating system did just release their 3.0 based on Debian 9.

Firefox 54

I don’t quite care about browser versions, but this one was interesting: since Firefox 54, the browser uses a multi-process architecture, similar (but apparently “better” than) Chrome’s.

Spack

Spack is a multi-platform package manager that builds and installs multiple versions and configurations of software. It works on Linux, macOS, and many supercomputers. Spack is non-destructive: installing a new version of a package does not break existing installations, so many configurations of the same package can coexist.

sudo for windows

Because why not? 😉

FreeNAS 11.0

This version brings object storage (S3) to the OS, a brand new admin GUI & bhyve based virtual machines.

opsweekly

Opsweekly is a weekly report tracker, an ‘on-call’ categorisation and reporting tool, a sleep tracker, a meeting organiser and a coffee maker all in one.

Guides & Tutorials

Mdadm Cheat Sheet

This post contains a set of practical commands when running with software raid on Linux (mdadm).

Force Remote Devices (Routers/switches) to Refresh Their Arp Cache Entry for a Machine

Some guides & commands to help you flush ARP caches from routers, this can be useful when using virtual IPs (or ‘floating’ IPs) and you need to force a refresh on your switch or routers.

Anti-DDoS Solution Based on iptables: nShield

Some more clever IPTable usage: this script gets the latest “known IPs” of hacked servers/bots and preventively blocks them on your system. On top of that, it will rate limiting new offending IPs if attack patterns are detected.

Terraform Gotchas And How We Work Around Them

Lots of good tips on using Terraform in here from years of experience. Some background is shared about choices that were made that turned out to be bad investments, so you don’t have to repeat them.

Writing a Unix Shell – Part II

This is follow-up from part 1, this time covering `exec` functions, forking, error handling & handling built-in shell commands.

Howto make MySQL point-in-time recovery faster ?

Lots of tips on boosting the performance of binary logs in MySQL, by moving away from the `mysqlbinlog` command and letting MySQL server itself do the processing. Very clever usage of binlogs & mysql slave replication!

Switching to the Mutt Email Client

I haven’t been able to convince myself yet, but this author describes his steps with the Mutt email client.

Videos

openSUSE conference 2017

Lots of videos from this conference around DevOps, monitoring, metrics, legal & compliance, package building, …