We're hiring!

We're actively seeking designers and developers for all three of our locations.

Shellshock – CVEs, Patches, Updates, & Other Resources

First announced almost a month ago, Shellshock continues to endanger un-patched web servers and Linux devices. So what is it? How can you tell if you’re vulnerable? And how can it be addressed?

What Is Shellshock?

Shellshock is a vulnerability in the bash software program. Bash is a shell, installed to Linux and other operating systems in the Unix family. A shell is a software component that is deeply integrated into the operating system, which is what makes this vulnerability so insidious.

The Shellshock vulnerability is a bug in the parser. It was first introduced more than 20 years ago when a feature to allow exporting functions was added. The danger is that an attacker who could control the content of an environment variable could potentially execute arbitrary code on a vulnerable system. Remote code execution (RCE) vulnerabilities (also called “arbitrary code execution” vulnerabilities) are among the most dangerous. Paired with privilege escalation vulnerabilities or poor security practices (e.g. allowing web servers to run as privileged users), unaddressed arbitrary code execution vulnerabilities can lead to the complete takeover of vulnerable systems. Read more on Shellshock – CVEs, Patches, Updates, & Other Resources…

Posted in DevOps & System Admin. | Tagged , | Leave a comment

Re-imagining Operating Systems: Xen, Unikernels, and the Library OS

As a Professional Problem Solver, much of my work deals with installing, configuring, and managing the Operating System layer of an application stack.

Managing the OS layer has been the work of System Administrators for many years. With the advent of virtualization, it became relatively easy to create and destroy virtual machines. With the “cloud” many of us no longer even own physical servers. With DevOps tools and configuration management, we’ve created abstractions for configuration and automated provisioning.

Yet…

The operating systems have remained relatively the same. When we’re not using a PaaS like Heroku, our application servers are often full Linux VMs. Even with containerization tools like Docker, the underlying OS is fundamentally the same. The advent of virtualization brought many changes, but we still haven’t seen the full impact of this paradigm shift. Read more on Re-imagining Operating Systems: Xen, Unikernels, and the Library OS…

Posted in DevOps & System Admin. | 1 Comment

Git-SVN Gotcha with Empty Directories

This short post is intended to serve as a warning about a potential gotcha with git-svn, and how to prevent it.

An Anecdote

First, a sort of “postmortem” of my run-in with this issue:

I was working to migrate an old SVN repository full of documents to Git. We had decided that we didn’t need to maintain a complete history going forward, that we would just take what was currently there and put it in a new Git repository. We would keep the old SVN repository around for reference in case we ever did need to go back through that older history. We wanted to preserve the old history in SVN, but make a clean break from it for a fresh start with a new Git repo.

I used SVN to check out a fresh copy of the repo, removed .svn, turned the directory into a Git repo, and pushed it out to the new remote. All good there. Read more on Git-SVN Gotcha with Empty Directories…

Posted in Developer Tools | Tagged , | Leave a comment

GPG + Git: The pass Password Manager

password-manager

As much as I’d like to see a world where PKI is used to secure digital resources, the status quo is a world often secured by passwords. Passwords are hard to remember, and easy to lose. We should use complex, hard-to-guess passwords. We should use separate passwords for every site. We should keep passwords to ourselves instead of sharing accounts with other users. All of these things add up to more than most minds should be taxed with.

The good news is: password managers can help! Read more on GPG + Git: The pass Password Manager…

Posted in DevOps & System Admin. | Tagged , | Leave a comment

8 Tips for Working from a Coffee Shop

working-coffee-shop

A few weekends ago, I spent an afternoon working from a coffee shop. I usually work co-located with other Atoms in Atomic Object’s Grand Rapids office, so this was a new experience for me. I learned a few things I could have done to use my time more effectively.

This is my new coffee shop-preparedness checklist: Read more on 8 Tips for Working from a Coffee Shop…

Posted in Personal Optimization | Comments closed

Using a Smartcard with a VirtualBox-based Vagrant Virtual Machine

Lately, I’ve been working on setting up a Personal Package Archive (PPA) to use when provisioning servers with custom packages.

In order to host packages on a Launchpad PPA, one must first upload signed source packages. Since I use a Mac and keep my PGP signing key on a Smartcard, I needed to find a way to connect my Smartcard reader to a virtual machine running Ubuntu. After a bit of research, I found an easy way to do this with Vagrant, VirtualBox, and the standard precise64 basebox.

Read more on Using a Smartcard with a VirtualBox-based Vagrant Virtual Machine…

Posted in DevOps & System Admin. | Comments closed

Using an OpenPGP Smartcard with GnuPG

openpgp-smartcard2

This is part of a series on GNU Privacy Guard:

  1. Getting Started with GNU Privacy Guard
  2. Generating More Secure GPG Keys: Rationale
  3. Generating More Secure GPG Keys: A Step-by-Step Guide
  4. Using an OpenPGP Smartcard with GnuPG (this post)

Recap

Picking up where we left off, we’re on a relatively secure (air-gapped) system with a keyring looking something like this:

$ gpg -k
/home/amnesia/.gnupg/pubring.gpg
--------------------------------
pub   4096R/144A027B 2013-11-04 [expires: 2016-11-03]
uid                  John Doe <john .doe@example.com>
sub   3072R/E02EDE61 2013-11-04 [expires: 2014-05-03]
sub   3072R/A59563DA 2013-11-04 [expires: 2014-05-03]
sub   3072R/B2E31884 2013-11-04 [expires: 2014-05-03]
 
$ gpg -K
/home/amnesia/.gnupg/secring.gpg
--------------------------------
sec#  4096R/144A027B 2013-11-04 [expires: 2016-11-03]
uid                  John Doe </john><john .doe@example.com>
ssb   3072R/E02EDE61 2013-11-04
ssb   3072R/A59563DA 2013-11-04
ssb   3072R/B2E31884 2013-11-04
</john>

We’ve already moved the mainkey to removable media and stored it in a safe place. Now we’d like to move the subkeys onto a Smartcard for day-to-day use. Read more on Using an OpenPGP Smartcard with GnuPG…

Posted in Extracurricular Activities | Tagged , | Comments closed

DevOps Resources for Staying in the Loop

At our last DevOps West Michigan meeting, someone asked where I learn about new things happening in the world of DevOps. Here’s the list I rattled off (plus a few more things I remembered later).

DevOps Weekly Newsletter

This weekly e-mail newsletter from Gareth Rushgrove does a great job of summarizing and aggregating some of the most noteworth blogposts, events, and new tools from the past week. I’ve been able to spend a lot less time seeking out this information since I subscribed. Gareth does a great job of keeping everyone informed.

Podcasts

Between riding the bus to work, doing dishes, and picking up kids’ toys, I listen to a lot of podcasts. Here are some of my favorite DevOps-related shows:

Posted in Growing as Makers | Comments closed

Generating More Secure GPG Keys: A Step-by-Step Guide

This is part of a series on GNU Privacy Guard:

  1. Getting Started with GNU Privacy Guard
  2. Generating More Secure GPG Keys: Rationale
  3. Generating More Secure GPG Keys: A Step-by-Step Guide (this post)
  4. Using an OpenPGP Smartcard with GnuPG

gpg_subkeysIn this post, I’ll will cover the generation of a new GPG key and removal of the primary key, one of two mitigation strategies mentioned in the previous post. The next post in the series will demonstrate the second strategy: using this new key with a SmartCard.

Read more on Generating More Secure GPG Keys: A Step-by-Step Guide…

Posted in Extracurricular Activities | Tagged , | Comments closed

Generating More Secure GPG Keys: Rationale

This is part of a series on GNU Privacy Guard:

  1. Getting Started with GNU Privacy Guard
  2. Generating More Secure GPG Keys: Rationale (this post)
  3. Generating More Secure GPG Keys: A Step-by-Step Guide
  4. Using an OpenPGP Smartcard with GnuPG

In my last post on getting started with GNU Privacy Guard, I mentioned that I’d like to go into more depth about how to use GnuPG more securely. In this post, I’ll show how I recently set up my new OpenPGP key and smart card.

Risks of Naive GPG

First, let’s talk about some of the risks of using GPG in the naive way I demonstrated in my last post.

Endpoint Security

Once we start using GnuPG to encrypt and sign our data, one of the largest remaining risks is “endpoint security” — namely that our laptop might be compromised and our secret key exposed to an attacker. We generated our key on the laptop we use for a variety of purposes on a daily basis. Read more on Generating More Secure GPG Keys: Rationale…

Posted in Extracurricular Activities | Tagged , | Comments closed
Google Circle
Join my Circle on Google+