Ramblings of a Unix Geek

I've been doing this for a long time... I ramble!

Software for my digital safe

A few weeks back I completed my Arduino hack for a digital safe. What was missing, however, was the software to drive it. One requirement I had was to let it work with password managers. I also had the idea that maybe remote access (e.g. control the safe while away from home, to grant a guest access) might be useful. This kinda meant it’d be easiest to do as a web site, with internet connections forwarded via the router.

Know your threats and defend accordingly

A couple of weeks ago I was asked a question around the disposal of SSDs. The question went along the lines of “In the old days we could just overwrite the disk many times (eg with DBAN). What should we do, now, with SSDs?” Recently, a bunch of Infineon TPMs were found to have a flaw that generated weak RSA keys. This could have lots of impact, including Bitlocker disk encryption.

Adapting a digital safe to be computer controlled

For a number of years I had one of these cheap electronic safes. They allow for a combination to be set. I bought this one from Harbor Freight in 2004: This post isn’t about that safe though. About 10 years later the safe started to stop working; the control panel stop responding, it made horrible noises… Fortunately anger lifting and dropping the safe got it working again to open the door.

Key man dependencies and resilient processes

Unless you’ve been living in a cave for the past couple of months, you’ll have heard that Equifax, one of the ‘big three’ credit reporting agencies, suffered a massive breach leaking privileged data on over 143 million US people (and millions outside the US as well). The story went from bad to worse as the company completely failed to handle the response properly, with poor communication, staff giving out the URL to phishing sites, web site failures and the story that three executives sold millions of dollars of shares before the leak notification was made.

Where to run Docker?

I was asked an interesting question: I am about to investigate Docker. We are moving to AWS too. So in your opinion, should I put energy on EC2 Container services or should I put my energy on Docker on EC2? Which is better ? I find this type of question interesting because there’s not, really, a “one size fits all” answer. It depends on your use cases.

Docker High Level Challenges with vendor containers

In previous posts I’ve gone into some detail around how Docker works, and some of the ways we can use and configure it. These have been aimed at technologists who want to use Docker, and for security staff who want to control it. It was pointed out to me that this doesn’t really help leadership teams. They’re getting shouted at; “We need Docker! We need Docker!”. They don’t have the time (and possibly not the skills) to delve into the low levels the way I have.

Monitoring my router with graphs

WARNING: technical content ahead! There’s also a tonne of config files, which make this page look longer than it really is, but hopefully they’ll help other people who want to do similar work. A few months back I replaced my OpenWRT router with a CentOS 7 based one. This machine has been working very well, and handles my Gigabit FIOS traffic without any issues.

Remembering history

“Those who cannot remember the past are condemned to repeat it.” – George Santayana Default broken I was reminded, last week, of how old issues repeat. Back in the 90s it was a truism that if you put an “Out Of The Box” RedHat 4 (not RedHat Enterprise; the original freeware version) server on the internet then it would be compromised within hours. And so we learned; our default builds didn’t have telnet, didn’t have every possible service installed, didn’t have vulnerable configurations.

Secrets management with Docker Swarm

One of the big problems with a cloudy environment is in how to allow the application to get the username/password needed to reach a backend service (e.g. a MySQL database). With a normal application the application operate team can inject these credentials at install time, but a cloudy app needs to be able to start/stop/restart/scale without human intervention. This can get worse with containers because these may be started a lot more frequently.

Using placement constraints with Docker Swarm

As we’ve previously seen, Docker Swarm mode is a pretty powerful tool for deploying containers across a cluster. It has self-healing capabilities, built in network load balancers, scaling, private VXLAN networks and more. Docker Swarm will automatically try and place your containers to provide maximum resiliency within the service. So, for example, if you request 3 running copies of a container then it will try and place these on three different machines.