Ramblings of a Unix Geek

I've been doing this for a long time... I ramble!

Terrahawks Noughts and Crosses

table { table-layout: fixed ; width: 100% ; border-collapse: collapse; border-style: hidden; } td { width: 1 ; border: visible; } Yes, this is a blog about a very old TV show. I went down a rabbit hole. A very stupid rabbit hole. A meaningless rabbit hole. There was a 1983 Gerry Anderson puppet show “Terrahawks”. It wasn’t as good as his older stuff (e.g. the original Thunderbirds).

Using network namespaces for ipv4 only

The problem I use the Ookla Speedtest CLI in a cron job to get an idea of the speed of my internet connection (Verizon FIOS), and spot if there are problems. Why? Because why not :-) It let’s me draw graphs like this. However, recently I was starting to get error messages that the command wasn’t able to reach speedtest.net to get the configuration. It wasn’t happening every time; sometimes it would go hours without issue, other times it would fail 3 or 4 times in succession.

ChatGPT and Calculators

This is one of my infrequent “philosophical” type posts. An earlier version of this appeared on LinkedIn. There was a LinkedIn post along the lines of “are we treating ChatGPT today like we used to treat calculators in the past”. In my mind the question is “what skill do we believe is valuable that ChatGPT will replace”. The parallels between how we treated calculators in a school setting (“no you can’t use them for homework”) vs how we’re treating ChatGPT (“no you can’t use them for homework”) needs a deeper dive.

Looking at YubiKey 5

I don’t normally write about specific products, but I was asked to take a look at the YubiKey series (primarily 4 and 5) and write up a summary of when and how it can be used. This is timely, because CISA is pushing for access management enhancements and recently published a chart for phishing resistance. I thought this interesting; typically I’ve looked at this from a user perspective (“can I use this to secure access to my bank account?

Microservice Security

Recently I was invited to be part of a panel on Microservice Security. The fools! Normally on these panels they want you to talk for 5-ish minutes; unfortunately I came up with about 15 minutes worth of material! That’s perfect for a blog :-) Older designs Before I talk about microservices I want to take a look at older designs Monoliths. A “monolith” is pretty much an “all in one” application.

Secure your cloud

I got asked another question. I’m going to paraphrase the question for this blog entry. Given the Russian invasion of Ukraine and the response of other nations (sanctions, asset confiscation, withdrawal of services, isolation of the Russian banking system…) there is a chance of enhanced cyber attacks against Western banking infrastructure in retaliation. How can we be 100% sure our cloud environments are secure from this? Firstly, I want to dispel the “100%” myth.

The problems with port 80

I got asked a question… this gives me a chance to write an opinion. I have lots of them! If I redirect my port 80 traffic to another site, do I need to get a TLS cert? The question here is related to if a bank (or other service) has changed their name, then do they still need to maintain a TLS site for the old name? Can’t they just have http://mybank.

Singe cloud or multi cloud?

I got asked a question… this gives me a chance to write an opinion. I have lots of them! Is it reasonable to just stick with a single cloud provider, or is it better to go multi-cloud? It think it seems reasonable. I expect very few places are true multi-cloud, as in a given app runs in two clouds. That becomes challenging if trying to use cloud native services ‘cos how you access RDS would be different to how you access Azure SQL, so writing a true multi-cloud application isn’t so simple.

Using SSH certificates - revisited

A while back I wrote about some basic usage of SSH certificates as an authentication system. I only described the core, but the comments went into some further detail. I thought it time to write a follow up post describing some of the more advanced features. Quick recap To handle cert based authentication you need a CA certificate. This is created with the ssh-keygen command. e.g. $ mkdir ssh-ca $ cd ssh-ca $ ssh-keygen -f server_ca Server certificates are similarly signed with the same command.

X-Forwarded-For and IP Allow-List

What is IP Allow-Listing Typically when you want to access a remote resource (e.g. login to a server) you need to provide credentials. It might be a simple username/password, it could be via SSH keys, it could use Mutual TLS with client-side certificates… doesn’t really matter. One concern is “what happens if the credential is stolen”. IP allow-listing is a way of restricting where you can use that credential from.