cron.weekly issue #94: Security, SSH, df, Wekan, funding, Kubernetes, Make, systemd & moreAugust 20, 2017 - Mattias Geniar
Welcome to cron.weekly issue #94 for Sunday, August 20th, 2017.
Last week’s issue might have been a bit shorter, I feel this one makes up for it. Lots of news to share, interesting new projects and fascinating tutorials.
If you’ve been reading cron.weekly regularly and like it, you could do me an immense favor by promoting it to friends & colleagues on social media. If you’re not sure how, check out the ‘I loved it‘ button at the end of this mail for some easy social sharing.
Enjoy your Sunday everyone!
It’s been a bit of a running joke among those that care about HTTP status code, but it looks like this might actually be happening: work is being done to make the HTTP/418 status code “I’m a teapot” an actual, official, RFC!
Security.txt is a standard which allows websites to define security policies. This standard sets clear guidelines for security researchers on how to report security issues, and allows bug bounty programs to define a scope. Security.txt is the equivalent of robots.txt (like cronweekly’s), but for security issues.
GoCD is a continuous delivery tool specializing in advanced workflow modeling and dependency management. New AWS ECS elastic agents plugin just released. Optimizes your utilization and reduces infrastructure cost now. (Sponsored)
A while back, several exploits made by the CIA got released through WikiLeaks. In this post, Tatu Ylonen, inventor of the SSH protocol, looks at those exploits and gives his analysis of how they work.
Join the Open Source Database Community 25-27 September, 2017, in Dublin for Percona Live Europe. With various talks covering core topics on MySQL, MongoDB, MariaDB, PostgreSQL, Time Series Databases, RocksDB & more. 1 day tutorials & 2 days sessions & keynotes. Buy Now. (Sponsored)
In this new policy for packagers, it’s not a requirement that new packages be ‘reproducible’: every compile from the same source, should result in the exact same binary. This makes it possible to detect and prevent flaws – malicious or accidental – in those packages.
In the next OpenSSL release, the team behind the popular crypto package is going to completely redo the RAND() API calls. The goal is to improve the security by generating better random numbers using NIST recommended approaches.
In this commit, the ZFS project now includes native encryption in the file system.
Did you know there’s over 5PB of publicly available HDFS (Hadoop File System) systems out there, with data you can just reach out ‘touch’? This serves as a general reminder to 1) firewall your systems and 2) authenticate any kind of data access.
Looks like MongoDB is going public (the company, the source was already open) and seeks to attract new investors.
More financial news: Docker is also seeking to raise more money and is already valued at 1.3 billion dollars.
This was a fun read; can you guess why the game Dwarf Fortress, with a binary named ‘df’, would automagically start up whenever you update your system?
Tools & Projects
Track & alert on the health and performance of every server, container, and app in any environment, with Datadog. Sign up for a free 14-day trial. (Sponsored)
I didn’t know Facebook built this tool, but it’s a really simple way to keep track of which certificate gets issued for which domain(s) through CT – Certificate Transparency.
.NET Core is the modular and high performance implementation of .NET for creating web applications and services that run on Windows, Linux and Mac.
I’ll admit that I’m not sure when to use this, but it’s an embedded PHP module for Nginx. Think mod_php for Apache, but for Nginx. There’s also a variant specific for PHP 7.x. I think I’d still prefer PHP-FPM though.
A tool to capture and report on file checksums with an aim to report bit rot.
A collection of security hardening tips & modules for Chef/Puppet/Ansible to help harden the base OS, SSH, MySQL, Apache, PostgreSQL, …
Puppeteer is a Node library which provides a high-level API to control headless Chrome over the DevTools Protocol. It can also be configured to use full (non-headless) Chrome.
This project actually got featured in issue #12 already, but since there were like 5 subscribers back then, it bears repeating: Wekan is an open source Kanban tool, much like Trello.
Agorakit is a web based open source groupware for citizens initiatives. By creating collaborative groups, people can discuss, organize events, store files and keep everyone updated when needed. Agorakit is a forum, agenda, file manager, mapping tool and email notifier.
SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques.
Build and run Docker containers leveraging NVIDIA GPUs. If you’re thinking of mining certain cryptocurrencies, this might come in handy.
Guides & Tutorials
This post draws the analogy between superhero communication and “secret communication” with private and public keys. It’s a bit hectic if you already know how SSH public key authentication works, but if you’re new to that concept, it’s a pretty good explanation.
This was a fascination read about how fiber optics work! More and more of our networking is moving towards fiber instead of copper, this shares lots of insights into what makes fiber unique and how on earth it’s possible to use light to transfer bits & bytes.
A lot of info on why GitHub moved to Kubernetes, as well as the approach they took on migrating a legacy “classic” application to be compatible with Kubernetes’ way of working.
Did you know there are scenario’s in which a non-privileged user can delete root-owned files, even if he doesn’t have permissions to it? Very good read & catch!
A dive into the mechanics that allow Postgres to provide strong atomic guarantees despite the chaotic entropy of production.
This is a really solid introduction to ‘make’ and the Makefile, for building & automating tasks, adding dependencies between tasks, error handling, input handling, …
Not a rant on systemd, but this post has a well-written answer on where the security impact of an init system like systemd might lie.