cron.weekly issue #87: OutlawCountry, MOTD, NSA, systemd, Kubernetes, spoilerwall, Dexter, GPG & moreJuly 2, 2017 - Mattias Geniar
Welcome to cron.weekly issue #87 for Sunday, July 2nd, 2017.
There are some security issues regarding systemd you should be aware of if you’re running Ubuntu, WikiLeaks publishes some NSA tools explicitly aimed at targeting Linux and recent Intel CPU’s appear to have broken Hyper-Threading.
So, have a great Sunday folks! 😀
There’s a lot of nitty gritty details in here about time keeping and persistent TCP connections that get randomly dropped by a CISCO endpoint. Just goes to show that even the basics of TCP can surprise you.
What are you doing next Friday? This site aims to get you motivated and up-and-running with your first pull request to an open source project.
Are you a curious mind? Full Sack Fest is a week-long conference based in the amazing city of Barcelona that peeks into the web of tomorrow! Serverless, Blockchain, WebVR, Distributed Web, Progressive Web Apps… Come and see. Early bird tickets available! Use CRONWEEKLY to get 10% off! (Sponsored)
WikiLeaks published a new set of CIA hacking tools, this time focussing specifically on the Linux operating system, called OutlawCountry. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator.
Yuk. Ubuntu’s Message of the Day (MOTD) has been noted to show ads for a TV series that happens to use Ubuntu (which they wanted to highlight).
What if … you automated your entire job with a set of scripts and programs, but didn’t tell anyone? Heavy discussions going on in this thread. 🙂
A browser-based adventure game to teach you how to use VIM. Very cleverly done and it even looks good!
Unfixed Skylake and Kaby Lake processors could, in some situations, dangerously misbehave when hyper-threading is enabled. This post contains info on how to detect & mitigate the problem.
Users of Ubuntu 16.10 or 17.04 will want to update their systemd packages, as systemd-resolved could be made to crash or run programs if it received a specially crafted DNS response. Red Hat or CentOS are unaffected.
With all their code and tools already being released by
WikiLeaks Shadow Brokers, they might as well open source it themselves too, right? 😉 But all kidding asides, there are some good looking projects on their page like a Certificate Authority monitoring project, a VPN service, host integrity tools, …
Tools & Projects
Track & alert on the health and performance of every server, container, and app in any environment, with Datadog. Sign up for a free 14-day trial. (Sponsored)
Shuts down a TCP connection on Linux or macOS. Local and remote endpoint arguments can be copied from the output of ‘netstat -lanW’.
A new milestone for the Kubernetes project with its 1.7 launch: a big focus on security, storage and extensibility features.
Apache RocketMQ is a distributed messaging and streaming platform with low latency, high performance and reliability, trillion-level capacity and flexible scalability.
Decrypts and logs a process’s SSL traffic. The functionality offered by ssl_logger is intended to mimic Echo Mirage’s SSL logging functionality on Linux and macOS.
mkosi stands for Make Operating System Image, and is a tool for precisely that: generating an OS tree or image that can be booted.
This package provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another.
Spoilerwall introduces a brand new concept in the field of network hardening. Avoid being scanned by spoiling movies on all your ports!
Inspired by SSH, Mosh and autossh, Eternal Terminal (ET) is a remote shell that automatically reconnects without interrupting the session.
There’s a lot of code and tools in this repo aimed at testing and breaking the IPv6 protocol. If you’re into networking or security, you’ll find something in there you’ll like.
CloudBoost is the complete serverless platform for your app. Think of CloudBoost as Parse + Firebase + Algolia + Iron.io all combined into one.
Guides & Tutorials
This blog series uses a simple application as an example to guide you on building deployment pipelines. Following it, you will get an in-depth understanding of continuous delivery and also hands-on practices of deployment pipeline modeling. Check it out here. (Sponsored)
This post contains lots of good insights into how the Unicorn webserver (written in Ruby) handles its master/worker architecture and how you can work with it to troubleshoot & make it more effective.
Dexter collects PostgreSQL queries, analyses them and creates new indexes to make them more performant.
Besides a good intro into both PGP and SSH public keys, this also does a stellar job explaining how you can use a GPG key for your SSH logins, too.
Lots of good tips in this post, including a pure Bash implementation to test if a remote or local TCP port is open, by making use of /dev/tcp/$ip/$port. Very powerful!
This post includes slides of a presentation on BPF (the BSD Packet Filter) and lots of notes from the talk itself. If you’re interested in the next big thing in packet capturing (think tcpdump etc.), have a read.
A heavy debugging tale with sysdig to find the root cause of a Docker container isolation problem, where one container managed to influence the performance of another, despite both having resource constraints configured. Lots of practical commands & output in this post.
Systemd has built-in container managed called systemd-nspawn. This post explains how you can run Steam (or any program, for that matter) inside a systemd-nspawn container. This post should get you started running pretty much anything inside a container.
A very good explanation on the Kerberos protocol, with enough visual material to make it understandable too.
This post starts easy but went way over my head very quickly. An insanely detailed guide on how an IP lookup happens on a Linux machine, from route tables to hashing algorithms to netmask calculations, all while testing both CPU and memory performance and impact.