At Atomic Object, we value co-located teams. But not every team member can always be co-located. Larger project teams may have members from multiple offices. Some projects might involve working closely with other vendors. I experience this “remoteness” when I support the infrastructure needs of teams in our Ann Arbor and Detroit offices.
I recently had the opportunity to pair with Scott Vokes on a side project.
He had an idea for a simple C program and let me drive while we talked through the design. In a few short hours, I learned a lot more than I expected. I’ll add the list below.
First announced almost a month ago, Shellshock continues to endanger un-patched web servers and Linux devices. So what is it? How can you tell if you’re vulnerable? And how can it be addressed?
What Is Shellshock?
Shellshock is a vulnerability in the
bash software program. Bash is a shell, installed to Linux and other operating systems in the Unix family. A shell is a software component that is deeply integrated into the operating system, which is what makes this vulnerability so insidious.
The Shellshock vulnerability is a bug in the parser. It was first introduced more than 20 years ago when a feature to allow exporting functions was added. The danger is that an attacker who could control the content of an environment variable could potentially execute arbitrary code on a vulnerable system. Remote code execution (RCE) vulnerabilities (also called “arbitrary code execution” vulnerabilities) are among the most dangerous. Paired with privilege escalation vulnerabilities or poor security practices (e.g. allowing web servers to run as privileged users), unaddressed arbitrary code execution vulnerabilities can lead to the complete takeover of vulnerable systems. Read more on Shellshock – CVEs, Patches, Updates, & Other Resources…
As a Professional Problem Solver, much of my work deals with installing, configuring, and managing the Operating System layer of an application stack.
Managing the OS layer has been the work of System Administrators for many years. With the advent of virtualization, it became relatively easy to create and destroy virtual machines. With the “cloud” many of us no longer even own physical servers. With DevOps tools and configuration management, we’ve created abstractions for configuration and automated provisioning.
The operating systems have remained relatively the same. When we’re not using a PaaS like Heroku, our application servers are often full Linux VMs. Even with containerization tools like Docker, the underlying OS is fundamentally the same. The advent of virtualization brought many changes, but we still haven’t seen the full impact of this paradigm shift. Read more on Re-imagining Operating Systems: Xen, Unikernels, and the Library OS…
This short post is intended to serve as a warning about a potential gotcha with git-svn, and how to prevent it.
First, a sort of “postmortem” of my run-in with this issue:
I was working to migrate an old SVN repository full of documents to Git. We had decided that we didn’t need to maintain a complete history going forward, that we would just take what was currently there and put it in a new Git repository. We would keep the old SVN repository around for reference in case we ever did need to go back through that older history. We wanted to preserve the old history in SVN, but make a clean break from it for a fresh start with a new Git repo.
I used SVN to check out a fresh copy of the repo, removed
.svn, turned the directory into a Git repo, and pushed it out to the new remote. All good there. Read more on Git-SVN Gotcha with Empty Directories…
As much as I’d like to see a world where PKI is used to secure digital resources, the status quo is a world often secured by passwords. Passwords are hard to remember, and easy to lose. We should use complex, hard-to-guess passwords. We should use separate passwords for every site. We should keep passwords to ourselves instead of sharing accounts with other users. All of these things add up to more than most minds should be taxed with.
The good news is: password managers can help! Read more on GPG + Git: The pass Password Manager…
A few weekends ago, I spent an afternoon working from a coffee shop. I usually work co-located with other Atoms in Atomic Object’s Grand Rapids office, so this was a new experience for me. I learned a few things I could have done to use my time more effectively.
This is my new coffee shop-preparedness checklist: Read more on 8 Tips for Working from a Coffee Shop…
Lately, I’ve been working on setting up a Personal Package Archive (PPA) to use when provisioning servers with custom packages.
In order to host packages on a Launchpad PPA, one must first upload signed source packages. Since I use a Mac and keep my PGP signing key on a Smartcard, I needed to find a way to connect my Smartcard reader to a virtual machine running Ubuntu. After a bit of research, I found an easy way to do this with Vagrant, VirtualBox, and the standard precise64 basebox.
This is part of a series on GNU Privacy Guard:
- Getting Started with GNU Privacy Guard
- Generating More Secure GPG Keys: Rationale
- Generating More Secure GPG Keys: A Step-by-Step Guide
- Using an OpenPGP Smartcard with GnuPG (this post)
Picking up where we left off, we’re on a relatively secure (air-gapped) system with a keyring looking something like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
$ gpg -k /home/amnesia/.gnupg/pubring.gpg -------------------------------- pub 4096R/144A027B 2013-11-04 [expires: 2016-11-03] uid John Doe <john .firstname.lastname@example.org> sub 3072R/E02EDE61 2013-11-04 [expires: 2014-05-03] sub 3072R/A59563DA 2013-11-04 [expires: 2014-05-03] sub 3072R/B2E31884 2013-11-04 [expires: 2014-05-03] $ gpg -K /home/amnesia/.gnupg/secring.gpg -------------------------------- sec# 4096R/144A027B 2013-11-04 [expires: 2016-11-03] uid John Doe </john><john .email@example.com> ssb 3072R/E02EDE61 2013-11-04 ssb 3072R/A59563DA 2013-11-04 ssb 3072R/B2E31884 2013-11-04 </john>
We’ve already moved the mainkey to removable media and stored it in a safe place. Now we’d like to move the subkeys onto a Smartcard for day-to-day use. Read more on Using an OpenPGP Smartcard with GnuPG…
At our last DevOps West Michigan meeting, someone asked where I learn about new things happening in the world of DevOps. Here’s the list I rattled off (plus a few more things I remembered later).
DevOps Weekly Newsletter
This weekly e-mail newsletter from Gareth Rushgrove does a great job of summarizing and aggregating some of the most noteworth blogposts, events, and new tools from the past week. I’ve been able to spend a lot less time seeking out this information since I subscribed. Gareth does a great job of keeping everyone informed.
Between riding the bus to work, doing dishes, and picking up kids’ toys, I listen to a lot of podcasts. Here are some of my favorite DevOps-related shows: