TechSNAP

It's a storage showdown as Jim and Wes bust some performance myths about RAID and ZFS. Plus our favorite features from Fedora 32, and why Wes loves DNF.Links:What's new in Fedora 32 Workstation Fedora 32 ChangeSet Linux distro review: Fedora Workstation 32 TechSNAP 428: RAID Reality Check ZFS versus RAID: Eight Ironwolf disks, two filesystems, one winner Understanding RAID: How performance scales from one disk to eight Find Jim on 2.5 AdminsFind Wes on LINUX UnpluggedTechSNAP 1: First episode of TechSNAP (in 2011!) TechSNAP 300: End of the Allan and Chris era (2017) TechSNAP 301: Enter Dan and Wes TechSNAP 347: A Farewell to Dan TechSNAP 348: Chris is back! TechSNAP 389: Jim's first time as a guest TechSNAP 390: Jim's second guest appear

Jim and Wes take the latest release of the Caddy web server for a spin, investigate Intel's Comet Lake desktop CPUs, and explore the fight over 5G between the US Military and the FCC.Links:Caddy offers TLS, HTTPS, and more in one dependency-free Go Web server Caddy 2 Caddy v2 Improvements [slightly out of date]Proposal: Permanently change all proprietary licensing to open source · Issue #2786 · caddyserver/caddy Revert "Implement Caddy-Sponsors HTTP response header" by lol768 · Pull Request #1866 · caddyserver/caddy Intel’s 10th generation desktop CPUs have arrived—still on 14nm Intel Comet Lake 10th Gen CPU release date, specs, price, and performance 10th Gen Intel® Core™ Desktop Processors US military is furious at FCC over 5G plan that could interfere with GPS The Pentagon's fight to kill Ligado's 5G network FCC Approves Ligado L-Band Application to Facilitate 5G & IoT

We dive deep into the world of RAID, and discuss how to choose the right topology to optimize performance and resilience. Plus Cloudflare steps up its campaign to secure BGP, and why you might want to trade in cron for systemd timers.Links:AMD Claims World’s Fastest Per-Core Performance with New EPYC Rome 7Fx2 CPUs AMD EPYC 7F52 Linux Performance - AMD 7FX2 CPUs Further Increasing The Fight Against Intel Xeon Review Understanding RAID: How performance scales from one disk to eight New Cloudflare tool can tell you if your ISP has deployed BGP fixes Is BGP safe yet? RPKI - The required cryptographic upgrade to BGP routing Why I Prefer systemd Timers Over Cron – Thomas Stringer systemd/Timers - ArchWiki systemd.time (Time format docs) systemd.timer (Unit docs)

Jim finally gets his hands on an AMD Ryzen 9 laptop, some great news about Wi-Fi 6e, and our take on FreeBSD on the desktop. Plus Intel's surprisingly overclockable laptop CPU, why you shouldn't freak out about 5G, and the incredible creativity of the Demoscene.Links:Asus ROG Zephyrus G14—Ryzen 7nm mobile is here, and it’s awesomeLinux on Laptops: ASUS Zephyrus G14 with Ryzen 9 4900HSIntel’s 10th-generation H-series laptop CPUs break 5GHz | Ars TechnicaWi-Fi 6E becomes official—the FCC will vote on rules this monthCelebs share rumors linking 5G to coronavirus, nutjobs burn cell towersNot-actually Linux distro review: FreeBSD 12.1-RELEASENot actually Linux distro review deux: GhostBSDMOD (file format) - WikipediaAT&T.MOD (YouTube)DJ Moses Rising—Ice Cream Trance (YouTube)Farbrausch—The Product (64K Intro, 2000)Farbrausch—Poem to a Horse (64K Intro, 2002)<a title="Finland accepts

We take a look at Cloudflare's impressive Linux disk encryption speed-ups, and explore how zoned storage tools like dm-zoned and zonefs might help mitigate the downsides of Shingled Magnetic Recording. Plus we celebrate WireGuard's inclusion in the Linux 5.6 kernel, and fight some exFAT FUD.Links:WireGuard VPN makes it to 1.0.0—and into the next Linux kernel — It's a good day for WireGuard users—DKMS builds will soon be behind us. Linux 5.6 Is The Most Exciting Kernel In Years With So Many New Featuresfs: New zonefs file system — zonefs is a very simple file system exposing each zone of a zoned block device as a file. This is intended to simplify implementation of application zoned block device raw access support by allowing switching to the well known POSIX file API rather than relying on direct block device file ioctls and read/write.Ama-ZNS! Zonefs File-System Will Land with Linux® 5.6What is Zoned Storage and the Zoned Storage Initiative? — Zoned Storage is a new paradigm in storage motivated by the incredible explosion of data. Our data-driven society is increasingly dependent on data for every-day life and extreme scale data management is becoming a necessity. Linux Kernel Support - ZonedStorage.iodm-zoned — The dm-zoned device mapper target exposes a zoned block device as a regular block device.Device Mapper - ZonedStorage.io What are PMR and SMR hard disk drives?<a title="Beware of SMR drives in PMR clothing" rel="nofollow" href="https://zfsonlinux.topicbox.com/groups/zfs-discuss/T759a10612888a9d9-Me469c98023e1a2cb059f

We take a look at AMD's upcoming line of Ryzen 4000 mobile CPUs, and share our first impressions of Ubuntu 20.04's approach to ZFS on root. Plus Let's Encrypt's certificate validation mix-up, Intel's questionable new power supply design, and more.Links:Let's Encrypt changes course on certificate revocation Revoking certain certificates on March 4 Let's Encrypt: Incomplete revocation for CAA rechecking bugPass authzModel by value, not reference The Complete Guide to CAA RecordsDNS Certification Authority Authorization AMD's 7nm Ryzen 4000 laptop processors are finally here How Intel is changing the future of power supplies with its ATX12VO spec Single Rail Power Supply ATX12VO Design GuideFreeNAS and TrueNAS are UnifyingFreeNAS and TrueNAS are Unifying [Video Announcement] Ubuntu 20.04's zsys adds ZFS

Cloudflare recently embarked on an epic quest to choose a CPU for its next-generation server build, so we explore the importance of requests per watt, the benefits of full memory encryption, and why AMD won. Plus Mozilla's rollout of DNS over HTTPS has begun, a big milestone for Let's Encrypt, and more.Links:Firefox continues push to bring DNS over HTTPS by default for US users - The Mozilla Blog The Facts: Mozilla’s DNS over HTTPs (DoH) Security/DOH-resolver-policy - MozillaWiki HTTPS for all: Let’s Encrypt reaches one billion certificates issued | Ars Technica Let’s Encrypt Has Issued a Billion Certificates - Let’s Encrypt - Free SSL/TLS Certificates Let’s Encrypt: A History - The Morning Paper Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months • The Register Ballot SC22: Reduce Certificate LifetimesGoogle Chrome’s fear of Microsoft Edge is revealing its bad side Microsoft shares a roadmap for the new Microsoft Edge

We explore the potential of heat-assisted magnetic recording and get excited about a possibly persistent L2ARC. Plus Jim's journeys with Clear Linux, and why Ubuntu 18.04.4 is a maintenance release worth talking about.Links:Ubuntu 18.04.4 LTS: here's what's new — It's not as shiny and exciting as entirely new versions, of course, but it does pack in some worthwhile security and bugfix upgrades, as well as support for more and newer hardware.18.04.4 - Ubuntu WikiMobaXterm — Enhanced terminal for Windows with X11 server, tabbed SSH client, network tools and much more.Linux distro review: Intel’s own Clear Linux OS — There's not much question that Clear Linux is your best bet if you want to turn in the best possible benchmark numbers. The question not addressed here is, what's it like to run Clear Linux as a daily driver? We were curious, so we took it for a spin.Clear Linux* Project — Clear Linux OS is an open source, rolling release Linux distribution optimized for performance and security, from the Cloud to the Edge, designed for customization, and manageability.swupd — Documentation for Clear Linux* projectclr-boot-manager: Kernel & Boot Loader ManagementCannot compile zfs for 5.5-rc2 · Issue #9745 · zfsonlinux/zfsPersistent L2ARC might be coming to ZFS on Linux — The primary ARC is kept in system RAM, but an L2ARC device can be created from one or more fast disks. In a ZFS pool with one or more L2ARC devices, when blocks are evicted from the primary ARC in RAM, they are moved down to L2ARC rather than being thrown away entirely. In the past, this feature has been of limited value, both because indexing a lar

We take a look at a few exciting features coming to Linux kernel 5.6, including the first steps to multipath TCP. Plus the latest Intel speculative execution vulnerability, and Microsoft's troubled history with certificate renewal.Links:Oregon company makes top bid for Microsoft check - CNET Microsoft’s failures to renew: Teams, Hotmail, and Hotmail.co.uk | Ars Technica Microsoft Teams goes down after Microsoft forgot to renew a certificate - The Verge Browser review: Microsoft’s new “Edgium” Chromium-based Edge | Ars Technica Linus Torvalds pulled WireGuard VPN into the 5.6 kernel source tree | Ars Technica Ubuntu 20.04 LTS Adds WireGuard Support - Phoronix Multipath TCP Support Is Working Its Upstream - First Bits Landing With Linux 5.6 - Phoronix MultiPath TCP - Linux Kernel implementation Upstreaming multipath TCP LPC2019 - Multipath TCP Upstreaming - YouTube LPC2019 - Multipath TCP Upstreaming - Sl

We explore the latest round of Windows vulnerabilities and Jim shares his journey adding OPNsense to his firewall family. Plus a look back at Apollo-era audio that's still relevant today with the surprising story of the Quindar tones.Links:Critical Vulnerabilities in Microsoft Windows Operating Systems Win10 Crypto Vulnerability: Cheating in Elliptic Curve Billiards 2 NSA discovers a serious flaw in Windows 10 Exploiting CVE-2020-0601 CVE-2020-0601 POC NSA Cybersecurity Advisory on CryptoAPI Flaw Why can’t I get to the internet on my new OPNsense install?! - Jim's Blog OPNsense: a true open source security platform and more There's An Actual Name And Reason For Those Beeps You Hear In Recordings Of Astronauts In Space Quindar Tones Cap'n Crunch Whistle and the Secrets of the Little Blue Box

Compiling the Linux kernel with Clang has never been easier, so we explore this alternative compiler and what it brings to the ecosystem. Plus Debian's continued init system debate, and our frustrations over 5G reporting.Links:5G Underwhelms in Its First Big Test - WSJHow South Korea built 5G, and what it's learning - RCR Wireless NewsAfter seven months, here’s what South Korea can teach us about 5G - CNASouth Korea secures 4 million 5G subscribers | ZDNetDebian Developers Take To Voting Over Init System DiversityDebian GR ResultsGeneral Resolution: Init systems and systemdRinging In 2020 By Clang’ing The Linux 5.5 Kernel - Benchmarks Of GCC vs. Clang Built KernelsUsing LLVM Clang To Compile The Linux Kernel Is Heating Up Again Thanks To GoogleBuilding the kernel with Clang - LWNClangBuiltLinuxCompiling the Linux kernel with LLVM tools (FOSDEM 2019)

From classifying cats to colorizing old photos we share our top tips and tools for starting your machine learning journey. Plus, learn why Nebula is our favorite new VPN technology, and how it can help simplify and secure your network.Links:Introducing Nebula, the open source global overlay network from Slack nebula: A scalable overlay networking tool with a focus on performance, simplicity and security Nebula VPN routes between hosts privately, flexibly, and efficiently How to set up your own Nebula mesh VPN, step by step LINUX Unplugged 329: Flat Network Truthers Cloudy with a chance of neurons: The tools that make neural networks work Welcome To Colaboratory ImageColorizer Notebook DeOldify: A Deep Learning based project for colorizing and restoring old images (and video!)

As the rollout of 5G finally arrives, we take some time to explain the fundamentals of the next generation of wireless technology. Plus the surprising performance of eero's mesh Wi-Fi, some great news for WireGuard, and an update on the Librem 5.Links:T-Mobile launches 600MHz 5G across the US, but no one can use it yetStudy confirms AT&T’s fake 5G E network is no faster than Verizon, T-Mobile or Sprint 4G5G on the horizon: Here’s what it is and what’s comingCan 5G replace everybody’s home broadband?The Snapdragon 865 will make phones worse in 2020, thanks to mandatory 5GLibrem 5 backers have begun receiving their Linux phonesAmazon’s inexpensive Eero mesh Wi-Fi kit is shockingly goodWireGuard VPN is a step closer to mainstream adoption

We explore the rapid adoption of machine learning, its impact on computer architecture, and how to avoid AI snake oil. Plus so-so SSD security, and a new wireless protocol that works best where the Wi-Fi sucks.Links:“Where the Wi-Fi sucks” is where a new wireless protocol does its magic Ubiquiti’s new “Amplifi Alien” is a mesh-capable Wi-Fi 6 router Self-encrypting deception: weaknesses in the encryption of solid state drives Securely erase a solid-state drive Solid state drive/Memory cell clearing - ArchWiki The Deep Learning Revolution and Its Implications for Computer Architecture and Chip Design Intel Core i9-10980XE—a step forward for AI, a step back for everything else How to recognize AI snake oil

Ubiquiti's troublesome new telemetry, Jim's take on the modern Microsoft, and why Project Silica just might be the future of long term storage.Links:Sure, we made your Wi-Fi routers phone home with telemetry, says Ubiquiti. What of it? — Ubiquiti Networks is fending off customer complaints after emitting a firmware update that caused its UniFi wireless routers to quietly phone HQ with telemetry.UI official: urgent, please answer | Ubiquiti Community Update: UniFi Phone Home/Performance Data Collection | Ubiquiti Community Possible example data Latest firmware with changes Microsoft’s Project Silica offers robust thousand-year storage | Ars Technica — Silica aims to replace both tape and optical archival discs as the media of choice for large-scale, (very) long duration cold storage.Project Silica The Future of Data Storage Microsoft Ignite 2019 Microsoft Edge is coming to Linux. But will anybody use it? | Ars Technica — At Microsoft Ignite a slide announced that Microsoft's project to rebase its perennially unloved Edge browser on Google's

We share our simple approach to disk benchmarking and explain why you should always test your pain points. Plus the basics of solid state disks and how to evaluate which model is right for you.Links:History of hard disk drives — WikipediaHow to Buy the Right SSD: A Guide for 2019 — Tom's HardwareThe Development and History of Solid State Drives (SSDs)Understanding IOPS, latency and storage performanceFIO cheat sheet — Jim's Blog

We dive into Ubuntu 19.10's experimental ZFS installer and share our tips for making the most of ZFS on root.  Plus why you may want to skip Nest Wifi, and our latest explorations of long range wireless protocols.Links:Decoding LoRa: Realizing a Modern LPWAN with SDR — LoRa is an emerging Low Power Wide Area Network (LPWAN), a type of wireless communication technology suitable for connecting low power embedded devices over long ranges. This paper details the modulation and encoding elements that comprise the LoRa PHY, the structure of which is the result of the author’s recent blind analysis of the protocol. It also introduces grlora, an open source software defined implementation of the PHY that will empower wireless developers and security researchers to investigate this nascent protocol.Nest Wifi announced at Made by Google 2019 | Ars Technica — Google says that a two-piece Nest Wifi kit—one Nest Router and one Nest Point—should cover up to 3,800 square feet and 85% of homes. This claim, like most arbitrary claims of Wi-Fi coverage with no real detail, should be taken with several grains of salt. TP-LINK EAP series Business Wi-Fi Solution — The EAP Series Business Wi-Fi Solution incorporates EAP Series hardware, which provides a smooth, reliable wireless internet experience, and a powerful centralized management platform. Bloody Stupid Johnson | Discworld Wiki — Although evidently able in certain fields, Johnson is notorious for his complete inability to produce anything according to specification or common sense, or (sometimes) even the laws of physics. A Quick Look At EXT4 vs. ZFS Performance On Ubuntu 19.10 With An NVMe SSD — For those thinking of playing with Ubuntu 19.10's new experimental ZFS desktop install option in opting for using ZFS On Linux in place of EXT4 as the root file-system, here are some quick benchmarks looking at the out-of-the-box performance of ZFS/ZoL vs. EXT4 on Ubuntu 19.10 using a common NVMe solid-state drive. ubuntu/zsys:

We peer into the future with a quick look at quantum supremacy, debate the latest DNS over HTTPS drama, and jump through the hoops of HTTP/3. Plus when to use WARP, the secrets of Startpage, and the latest Ryzen release. Links:Why big ISPs aren’t happy about Google’s plans for encrypted DNS Chromium Blog: Experimenting with same-provider DNS-over-HTTPS upgradeHow to enable DNS-over-HTTPS (DoH) in Google ChromeWhat’s next in making Encrypted DNS-over-HTTPS the Default - Future ReleasesWARP is here The Technical Challenges of Building Cloudflare WARPmmproxy - Creative Linux routing to preserve client IP addresses in L7 proxiesHTTP/3: the past, the present, and the future Cloudflare, Google Chrome, and Firefox add HTTP/3 support | ZDNetQUIC ImplementationsStartpage.com - The world's most private search engineGoogle extends support lifespan for seven Lenovo Chromebooks to 2025

It's TechSNAP story time as we head out into the field with Jim and put Sure-Fi technology to the test. Plus an update on Wifi 6, an enlightening Chromebook bug, and some not-quite-quantum key distribution.Links:RF Chirp tech: Long distance, incredible penetration, low bandwidth | Ars Technica — Recently, I took the company's technology for a spin with a pair of hand-held demo communicators about the size of a kid's walkie-talkie. They don't do much—just light up with a signal strength reading on both devices, whenever a transmit button on either is pressed—but that's enough to get a good indication of whether the tech will work to solve a given problem.Wi-Fi 6 Is Officially Here: Certification Program Begins — Finally, along with the launch of the certification program itself, the Wi-Fi Alliance has already certified its first dozen devices. Say hello to 802.11ax: Wi-Fi 6 device certification begins today | Ars Technica — Today, the Wi-Fi Alliance launched its Wi-Fi Certified 6 program, which means that the standard has been completely finalized, and device manufacturers and OEMs can begin the process of having the organization certify their products to carry the Wi-Fi 6 branding. Someone sent us 21 more pictures of the leaked Pixel 4 XL - The VergeiPhone 11, iPhone 11 Pro, and iPhone 11 Pro Max: Hands-on with Apple’s new phones | Ars TechnicaSome Chromebooks mistakenly declared themselves end-of-life last week | Ars Technica — A lot of Chromebook and Chromebox users don't realize this, but all ChromeOS devices have an expiration date. Google's original policy was for devices to be support

We take a look at a few recent zero-day vulnerabilities for iOS and Android and find targeted attacks, bad assumptions, and changing markets. Plus what to expect from USB4 and an upcoming Linux scheduler speed-up for AMD's Epyc CPUs.Links:Google says hackers have put ‘monitoring implants’ in iPhones for years | Technology | The Guardian — Their location was uploaded every minute; their device’s keychain, containing all their passwords, was uploaded, as were their chat histories on popular apps including WhatsApp, Telegram and iMessage, their address book, and their Gmail database.Project Zero: A very deep dive into iOS Exploit chains found in the wild — We discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes. Project Zero: In-the-wild iOS Exploit Chain 1 — This exploit provides evidence that these exploit chains were likely written contemporaneously with their supported iOS versions; that is, the exploit techniques which were used suggest that this exploit was written around the time of iOS 10. This suggests that this group had a capability against a fully patched iPhone for at least two years.  Project Zero: In-the-wild iOS Exploit Chain 3 — It’s difficult to understand how this error could be introduced into a core IPC library that shipped to end users. While errors are common in software development, a serious one like this should have quickly been found by a unit test, code review or even fuzzing. Project Zero: JSC Exploits — In this post, we will take a look at the WebKit exploits used to gain an initial foothold onto the iOS device and stage the privilege escalation exploits. All exploits here achieve shellcode execution inside the sandboxed renderer process (WebContent) on iOS.Project Zero: Implant Teardown — There is no visual indicator

It's CPU release season and we get excited about AMD's new line of server chips. Plus our take on AMD's approach to memory encryption, and our struggle to make sense of Intel's Comet Lake line. Also, a few Windows worms you should know about, the end of the road for EV certs, and an embarrassing new Bluetooth attack.Links:A detailed look at AMD’s new Epyc “Rome” 7nm server CPUs | Ars Technica — The short version of the story is, Epyc "Rome" is to the server what Ryzen 3000 was to the desktop—bringing significantly improved IPC, more cores, and better thermal efficiency than either its current-generation Intel equivalents or its first-generation Epyc predecessors.AMD Rome Second Generation EPYC Review: 2x 64-core Benchmarked — Ever since the Opteron days, AMD's market share has been rounded to zero percent, and with its first generation of EPYC processors using its new Zen microarchitecture, that number skipped up a small handful of points, but everyone has been waiting with bated breath for the second swing at the ball. AMD's Rome platform solves the concerns that first gen Naples had, plus this CPU family is designed to do many things: a new CPU microarchitecture on 7nm, offer up to 64 cores, offer 128 lanes of PCIe 4.0, offer 8 memory channels, and offer a unified memory architecture based on chiplets. AMD EPYC Rome Still Conquering Cascadelake Even Without Mitigations - Phoronix — Out of curiosity, I've run some unmitigated benchmarks for the various relevant CPU speculative execution vulnerabilities on both the Intel Xeon Platinum 8280 Cascadelake and AMD EPYC 7742 Rome processors for seeing how the performance differs.Intel’s line of notebook CPUs gets more confusing with 14nm Comet Lake | Ars Technica — Going by Intel's numbers, Comet Lake looks like a competent upgrade to its predecessor Whiskey Lake. The interesting question—and one largely left unanswered by Intel—is why the company has decided to launch a new line of 14nm notebook CPUs less than a month after launching Ice Lake, its first 10nm notebook CPUs.<a title="A look at the Windows 10 exploit Google Zero disclosed this week | Ars Technica

We examine why it's so difficult to protect your privacy online and discuss browser fingerprinting, when to use a VPN, and the limits of private browsing. Plus Apple's blaring bluetooth beacons and Facebook's worrying plans for WhatsApp.Links:Apple bleee. Everyone knows What Happens on Your iPhone – hexway — If Bluetooth is ON on your Apple device everyone nearby can understand current status of your device, get info about battery, device name, Wi-Fi status, buffer availability, OS version and even get your mobile phone number Facebook Plans on Backdooring WhatsApp - Schneier on Security — In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user's device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted. Signal — Privacy that fits in your pocket. xkcd: Security — Turns out it's a $5 wrench, even better!Jim Salter on Twitter — I wonder why #privacy wonks aren't talking about browser fingerprinting more frequently? Privacy Badger, Ghostery, etc don't do a damn thing to prevent or mitigate Canvas / WebGL #fingerprinting. Browser Fingerprinting: What Is It and What Should You Do About It? - PixelPrivacy — Browser fingerprinting is a powerful method that websites use to collect information about your browser type and version, as well as your operating system, active plugins, timezone, language, screen resolution and various other active settings.Canvas Fingerprinting - BrowserLeaks.com — The technique is based on the fact that the same canvas image may be rendered differently in different computers. This happens for several reasons. At the image format level – web browsers uses different image processing engines, image export options, compression level, the final images may got different checksum even if they are pixel-identical. At the system level – operating systems have diffe

We take a look at the amazing abilities of the Apollo Guidance Computer and Jim breaks down everything you need to know about the ZFS ARC. Plus an update on ZoL SIMD acceleration, your feedback, and an interesting new neuromorphic system from Intel.Links:ZFS On Linux Has Figured Out A Way To Restore SIMD Support On Linux 5.0+ — Those running ZFS On Linux (ZoL) on post-5.0 (and pre-5.0 supported LTS releases) have seen big performance hits to the ZFS encryption performance in particular. That came due to upstream breaking an interface used by ZFS On Linux and admittedly not caring about ZoL due to it being an out-of-tree user. But now several kernel releases later, a workaround has been devised. ZFS On Linux Runs Into A Snag With Linux 5.0NixOS Takes Action After 1.2GB/s ZFS Encryption Speed Drops To 200MB/s With Linux 5.0+ — A NixOS developer reports that the functions no longer exported by Linux 5.0+ and previously used by ZoL for AVX/AES-NI support end up dropping the ZFS data-set encryption performance to 200MB/s where as pre-5.0 kernels ran around 1.2GB/sLinux 5.0 compat: SIMD compatibility · zfsonlinux/zfs@e5db313 — Restore the SIMD optimization for 4.19.38 LTS, 4.14.120 LTS, and 5.0 and newer kernels. This is accomplished by leveraging the fact that by definition dedicated kernel threads never need to concern themselves with saving and restoring the user FPU state. Therefore, they may use the FPU as long as we can guarantee user tasks always restore their FPU state before context switching back to user space.no SIMD acceleration · Issue #8793 · zfsonlinux/zfs — 4.14.x, 4.19.x, 5.x all have no SIMD acceleration, it is like a turtle. very slow. Chris's Wiki :: ZFS on Linux still has annoying issues with ARC size — One of the frustrating things about operating ZFS on Linux is that the ARC size is critical but ZFS's auto-tuning of it is opaqu

Jim shares his Nagios tips and Wes chimes in with some modern tools as we chat monitoring in the wake of some high-profile outages. Plus we turn our eye to hardware and get excited about the latest Ryzen line from AMD.Links:Third parties confirm AMD’s outstanding Ryzen 3000 numbers | Ars Technica — AMD debuted its new Ryzen 3000 desktop CPU line a few weeks ago at E3, and it looked fantastic. For the first time in 20 years, it looked like AMD could go head to head with Intel's desktop CPU line-up across the board. The question: would independent, third-party testing back up AMD's assertions?The Internet broke today: Facebook, Verizon, and more see major outages | Ars Technica — Last week, Verizon caused a major BGP misroute that took large chunks of the Internet, including CDN company Cloudflare, partially down for a day. This week, the rest of the Internet has apparently asked Verizon to hold its beer. It was a really bad month for the internet | TechCrunch — In the past month there were several major internet outages affecting millions of users across the world. Sites buckled, services broke, images wouldn’t load, direct messages ground to a halt and calendars and email were unavailable for hours at a time.Cloudflare outage caused by bad software deploy (updated) — For about 30 minutes today, visitors to Cloudflare sites received 502 errors caused by a massive spike in CPU utilization on our network. This CPU spike was caused by a bad software deploy that was rolled back. How Verizon and a BGP Optimizer Knocked Large Parts of the Internet Offline Today — Today at 10:30UTC, the Internet had a small heart attack. A small company in Northern Pennsylvania became a preferred path of many Internet routes through Verizon (AS701), a major Internet transit provider. Getting started | Prometheus — Th

A new vulnerability may be the next 'Ping of Death'; we explore the details of SACK Panic and break down what you need to know. Plus Firefox zero days targeting Coinbase, the latest update on Rowhammer, and a few more reasons it's a great time to be a ZFS user.Links:SACK Panic Security Bulletin — Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. The vulnerabilities specifically relate to the Maximum Segment Size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.Ubuntu SACK Panic Guidance — You should update your kernel to the versions specified below in the Updates section and reboot. Alternatively, Canonical Livepatch updates will be available to mitigate these two issues without the need to reboot. Red Hat SACK Panic Advisory — Red Hat customers running affected versions of these Red Hat products are strongly recommended to update them as soon as errata are available. Customers are urged to apply the available updates immediately and enable the mitigations as they feel appropriate.    RFC 2018 - TCP Selective Acknowledgment Options — TCP may experience poor performance when multiple packets are lost from one window of data. With the limited information available from cumulative acknowledgments, a TCP sender can only learn about a single lost packet per round trip time. An aggressive sender could choose to retransmit packets early, but such retransmitted segments may have already been successfully received. A Selective Acknowledgment (SACK) mechanism, combined with a selective repeat retransmission policy, can help to overcome these limitations.Ping of Death — In a nutshell, it is possible to crash, reboot or otherwise kill a large number of systems by sending a ping of a certain size from a remote machine.Firefox zero-day was used in attack against Coinbase employees, not its users | ZDNet — A recent Firefox zero-day that has made headlines across the tech news world this we

We explore the risky world of exposed RDP, from the brute force GoldBrute botnet to the dangerously worm-able BlueKeep vulnerability. Plus the importance of automatic updates, and Jim's new backup box. Links:Errata Security: Almost One Million Vulnerable to BlueKeep Vuln (CVE-2019-0708) — Microsoft announced a vulnerability in it's "Remote Desktop" product that can lead to robust, wormable exploits. I scanned the Internet to assess the danger. I find nearly 1-million devices on the public Internet that are vulnerable to the bug. Even the NSA is urging Windows users to patch BlueKeep (CVE-2019-0708) | ZDNet — "[The] NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems. Prevent a worm by updating Remote Desktop Services (CVE-2019-0708) – MSRC — This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017BlueKeep - everyone agrees, you should patch PCs running legacy versions of Windows — I have this horrible feeling that the only way we’re going to wake the world up to the need to patch their ageing versions of Windows against the BlueKeep vulnerability is to wait until a malicious worm begins to spread around the world. CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability — A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-auth

We turn our eye to web server best practices, from the basics of CDNs to the importance of choosing the right multi-processing module. Plus the right way to setup PHP, the trouble with benchmarking, and when to choose NGiNX. Links:Jim's Blog: Installing WordPress on Apache the modern way — It’s been bugging me for a while that there are no correct guides to be found about using modern Apache 2.4 or above with the Event or Worker MPMs. We’re going to go ahead and correct that lapse today, by walking through a brand-new WordPress install on a new Ubuntu 18.04 VM. Apache Performance Tuning — Apache 2.x is a general-purpose webserver, designed to provide a balance of flexibility, portability, and performance. Although it has not been designed specifically to set benchmark records, Apache 2.x is capable of high performance in many real-world situations.Tuning Your Apache Serverworker - Apache HTTP Server Version 2.4 — This Multi-Processing Module (MPM) implements a hybrid multi-process multi-threaded server. By using threads to serve requests, it is able to serve a large number of requests with fewer system resources than a process-based server.event - Apache HTTP Server Version 2.4 — The event Multi-Processing Module (MPM) is designed to allow more requests to be served simultaneously by passing off some processing work to the listeners threads, freeing up the worker threads to serve new requests. PHP-FPM — PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites. FastCGI overview — FastCGI is a way to have CGI scripts execute time-consuming code (like opening a database) only once, rather than every time the script is loaded. In technical terms, FastCGI is a language independent, scalable, open extension to CGI that provides high performance without the limitations of server specific APIs. Alex

We’re back from LinuxFest Northwest with an update on all things WireGuard, some VLAN myth busting, and the trade-offs of highly available systems.Links:TechSNAP Episode 390: What’s Up with WireGuardWireGuard Sent Out Again For Review — WireGuard lead developer Jason Donenfeld has sent out the ninth version of the WireGuard secure network tunnel patches for review. If this review goes well and lands in net-next in the weeks ahead, this long-awaited VPN improvement could make it into the mainline Linux 5.2 kernel. CloudFlare announces Warp VPN — Using Cloudflare’s existing network of servers, Internet users all over the world will be able to connect to Warp VPN through the 1.1.1.1 app. In the same vein, Warp VPN will not significantly increase battery usage by using an efficient protocol called WireGuard.CloudFlare Launches "BoringTun" As Rust-Written WireGuard User-Space Implementation - Phoronix — CloudFlare took to creating BoringTun as they wanted a user-space solution as not to have to deal with kernel modules or satisfying certain kernel versions. They also wanted cross platform support and for their chosen implementation to be very fast, these choices which led them to writing a Rust-based solution. cloudflare/boringtun — BoringTun is an implementation of the WireGuard® protocol designed for portability and speed. VPN protocol WireGuard now has an official macOS app — You can already download the WireGuard app on Android and iOS, but today’s release is all about macOS.WireGuard Windows Pre-Alpha — I've been mostly absent these last weeks, due to being completely absorbed in Windows programming. I think we're finally getting to the state where we might really benefit from testing of the "pre-alpha".Wintun – Layer 3 TUN Driver for Windows — Wintun is a very simple and mi

We continue our take on ZFS as Jim and Wes dive in to snapshots, replication, and the magic on copy on write. Plus some handy tools to manage your snapshots, rsync war stories, and more!Links:sanoid: Policy-driven snapshot management and replication tools. — Sanoid is a policy-driven snapshot management tool for ZFS filesystems. When combined with the Linux KVM hypervisor, you can use it to make your systems functionally immortal. Syncoid — Sanoid also includes a replication tool, syncoid, which facilitates the asynchronous incremental replication of ZFS filesystems. Copy-on-write - WikipediaZFS PaperThe Magic Behind APFS: Copy-On-Write — The brand-new Apple File System (APFS) that landed with macOS High Sierra brings a handful of important new features that rely on a technique called copy-on-write (CoW).Chapter 19. The Z File System (ZFS)

Jim and Wes sit down to bust some ZFS myths and share their tips and tricks for getting the most out of the ultimate filesystem. Plus when not to use ZFS, the surprising way your disks are lying to you, and more!Links:ZFS - Ubuntu Wiki — ZFS is a combined file system and logical volume manager designed and implemented by a team at Sun Microsystems led by Jeff Bonwick and Matthew Ahrens.Performance tuning - OpenZFS — Make sure that you create your pools such that the vdevs have the correct alignment shift for your storage device's size. if dealing with flash media, this is going to be either 12 (4K sectors) or 13 (8K sectors).

We break down the ASUS Live Update backdoor and explore why these kinds of supply chain attacks are on the rise. Plus an update from the linux vendor firmware service, your feedback, and more!Links:Joren Verspeurt on Twitter — The explanation you gave for unsupervised wasn't correct, that was just using a net that was trained in a supervised way. Unsupervised learning doesn't involve labels at all. A good example: clustering. You say "there are x clusters" and it learns a way of grouping similar items.Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers — The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems.Malicious updates for ASUS laptops — A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels.Asus Live Update Patch Now Availabile — Asus has emitted a non-spyware-riddled version of Live Update for people to install on its notebooks, which includes extra security features to hopefully detect any future tampering.ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups — ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.The Messy Truth About Infiltrating Computer Supp

Machine learning promises to change many industries, but with these changes come dangerous new risks. Join Jim and Wes as they explore some of the surprising ways bias can creep in and the serious consequences of ignoring these problems.Links:Microsoft’s neo-Nazi sexbot was a great lesson for makers of AI assistants — What started out as an entertaining social experiment—get regular people to talk to a chatbot so it could learn while they, hopefully, had fun—became a nightmare for Tay’s creators. Users soon figured out how to make Tay say awful things. Microsoft took the chatbot offline after less than a day.Microsoft's Zo chatbot is a politically correct version of her sister Tay—except she’s much, much worse — A few months after Tay’s disastrous debut, Microsoft quietly released Zo, a second English-language chatbot available on Messenger, Kik, Skype, Twitter, and Groupme.How to make a racist AI without really trying | ConceptNet blog — Some people expect that fighting algorithmic racism is going to come with some sort of trade-off. There’s no trade-off here. You can have data that’s better and less racist. You can have data that’s better because it’s less racist. There was never anything “accurate” about the overt racism that word2vec and GloVe learned.Microsoft warned investors that biased or flawed AI could hurt the company’s image — Notably, this addition comes after a research paper by MIT Media Lab graduate researcher Joy Buolamwini showed in February 2018 that Microsoft’s facial recognition algorithm’s was less accurate for women and people of color. In response, Microsoft updated its facial recognition models, and wrote a blog post about how it was addressing bias in its software.AI bias: It is the responsibility of humans to ensure fairness — Amazon recently pulled the plug on its experimental AI-powered recruitment engine when it was discovered that the machine learni

We reveal the shady password practices that are all too common at many utility providers, and hash out why salts are essential to proper password storage. Plus the benefits of passphrases, and what you can do to keep your local providers on the up and up.Links:Plain wrong: Millions of utility customers’ passwords stored in plain text | Ars Technica — In September of 2018, an anonymous independent security researcher (who we'll call X) noticed that their power company's website was offering to email—not reset!—lost account passwords to forgetful users. Startled, X fed the online form the utility account number and the last four phone number digits it was asking for. Sure enough, a few minutes later the account password, in plain text, was sitting in X's inbox.The LinkedIn Hack: Understanding Why It Was So Easy to Crack the Passwords | — LinkedIn stated that after the initial 2012 breach, they added enhanced protection, most likely adding the “salt” functionality to their passwords. However, if you have not changed your password since 2012, you do not have the added protection of a salted password hash. You may be asking yourself–what on earth are hashing and salting and how does this all work?How Developers got Password Security so Wrong — As time has gone on; developers have continued to store passwords insecurely, and users have continued to set them weakly. Despite this, no viable alternative has been created for password security.Adding Salt to Hashing: A Better Way to Store Passwords — A salt is added to the hashing process to force their uniqueness, increase their complexity without increasing user requirements, and to mitigate password attacks like rainbow tables. Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study — We were interested in exploring two particular aspects: Firstly, do developers get things wrong because they do not think about security and thus do not include security features (but could if they wanted to)?

Join Jim and Wes as they battle bufferbloat, latency spikes, and network hogs with some of their favorite tools for traffic shaping, firewalling, and QoS. Plus the importance of sane defaults and why netdata belongs on every system.Links:Why you want QoS - Netdata Documentation — One of the features the Linux kernel has, but it is rarely used, is its ability to apply QoS on traffic. Even most interesting is that it can apply QoS to both inbound and outbound traffic.FireQOS Wiki — FireQOS is a helper to assist you configure traffic shaping on Linux. FireHOL - Linux firewalling and traffic shaping for humans — FireHOL is a language (and a program to run it) which builds secure, stateful firewalls from easy to understand, human-readable configurations. The configurations stay readable even for very complex setups.tc(8) man page — Traffic Control consists of the following: SHAPING When traffic is shaped, its rate of transmission is under control. Shaping may be more than lowering the available bandwidth - it is also used to smooth out bursts in traffic for better network behaviour. Shaping occurs on egress. SCHEDULING By scheduling the transmission of packets it is possible to improve interactivity for traffic that needs it while still guaranteeing bandwidth to bulk transfers. Reordering is also called prioritizing, and happens only on egress. POLICING Where shaping deals with transmission of traffic, policing pertains to traffic arriving. Policing thus occurs on ingress. DROPPING Traffic exceeding a set bandwidth may also be dropped forthwith, both on ingress and on egress.Overview of Traffic Control Concepts — Traffic control is the name given to the sets of queuing systems and mechanisms by which packets are received and transmitted on a router. This includes deciding which (and whether) packets to accept at what rate on the input of an interface and determining which packets to transmit in what order at what rate on the output of an interface.Advanced traffic control - ArchWiki<a title="Journey to the Center of the Linux Kernel: Traffic Control, Shaping and QoS" rel="nofollow" href="http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:networking:traffic_control

Jim and Wes are joined by OpenZFS developer Richard Yao to explain why the recent drama over Linux kernel 5.0 is no big deal, and how his fix for the underlying issue might actually make things faster. Plus the nitty-gritty details of vectorized optimizations and kernel preemption, and our thoughts on the future of the relationship between ZFS and Linux.Special Guest: Richard Yao.Links:LinuxFest Northwest 2019 — Join a bunch of JB hosts and community celebrating the 20th anniversary! Choose Linux — The show that captures the excitement of discovering Linux.Linux 5.0: _kernel_fpu{begin,end} no longer exported — The latest kernels removed the old compatibility headers.ZFS On Linux Landing Workaround For Linux 5.0 Kernel Support — So while these symbols are important for SIMD vectorized checksums for ZFS in the name of performance, with Linux 5.0+ they are not going to be exported for use by non-GPL modules. ZFS On Linux developer Tony Hutter has now staged a change that would disable vector instructions on Linux 5.0+ kernels.Re: x86/fpu: Don't export __kernel_fpu_{begin,end}() — My tolerance for ZFS is pretty non-existant. Sun explicitly did not want their code to work on Linux, so why would we do extra work to get their code to work properly?The future of ZFS in FreeBSD — This state of affairs has led to a general agreement among the stakeholders that I have spoken to that it makes sense to rebase FreeBSD's ZFS on ZoL. Brian Behlendorf has graciously encouraged me to add FreeBSD support directly so that we might all have a singleshared code base.Dephix: Kickoff to The Future — OpenZFS has grown over the last decade, and delivering our application on Linux provides great OpenZFS support while enabling higher velocity adoption of new environments.The future of ZFS on Linux [zfs-discuss] — Do you realize that we

We welcome Jim to the show, and he and Wes dive deep into all things Let’s Encrypt. The history, the clients, and the from-the-field details you'll want to know.Links: Let’s Encrypt and CertBot – JRS SystemsAutomatic Certificate Management Environment (ACME) — The surprisingly readable IETF draft.How It Works - Let's EncryptACME Client ImplementationsCertbot — Certbot is EFF's tool to obtain certs from Let's Encrypt.acme-nginx: python acme client for nginx — A particularly simple client that is useful for understanding the protocol details.Caddy - The HTTP/2 Web Server with Automatic HTTPSmod_md: Let's Encrypt (ACME) support for Apache httpdTraefik - The Cloud Native Edge RouterLooking Forward to 2019 - Let's Encrypt — We’re now serving more than 150 million websites while maintaining a stellar security and compliance track record. Most importantly though, the Web went from 67% encrypted page loads to 77% in 2018, according to statistics from Mozilla. This is an incredible rate of change!Let's Encrypt ACME v2 API Announcements — Now that the draft standard is in last-call and the pace of major changes has slowed, we’re able to release a “v2” API that is much closer to what will become the final ACME RFC.Let's Encrypt disables TLS-SNI-01 validation — The researcher noticed that "at least two" large hosting providers host many users on the same IP addres

Wes is joined by a special guest to take a look back on the growth and development of Azure in 2018 and discuss some of its unique strengths.Special Guest: Chad M. Crowell.Links:Under the sea, Microsoft tests a datacenter that’s quick to deploy, could provide internet connectivity for yearsAn Azure Infrastructure Year in ReviewAzure File Sync now generally availableMicrosoft's Newest OS is Based on LinuxAzure SphereWhat is Azure Stack?Azure Outage Proves the Hard Way Availability Zones are a Good Idea Microsoft Azure Infrastructure and Deployment on Linux Academy — In this course, we will cover an introduction to the Azure portal, followed by how to build infrastructure and deploy that infrastructure in real world scenarios.Chad Crowell on Twitter

In a special new year’s episode we take a moment to reflect on the show’s past, its future, and say goodbye to an old friend.Links:Jim Salter — Jim Salter (@jrssnet) is an author, public speaker, small business owner, mercenary sysadmin, and father of three—not necessarily in that order. He got his first real taste of open source by running Apache on his very own dedicated FreeBSD 3.1 server back in 1999, and he's been a fierce advocate of FOSS ever since.Jim Salter on TwitterDropbox Flaws | TechSNAP | 1PSN Breech Details | TechSNAP 32089 Days Uptime | TechSNAP 300

A security vulnerability in Kubernetes causes a big stir, but we’ll break it all down and explain what went wrong. Plus the biggest stories out of Kubecon, and serverless gets serious.Links:Everything that was announced at KubeConCNCF to Host etcd — The Cloud Native Computing Foundation Technical Oversight Committee voted to accept etcd as an incubation-level hosted project.Introduction to Knative — Knative is a framework from the folks at Google and Pivotal focused on “serverless” style event driven functions.IBM Embraces Knative to Drive Serverless Standardization — Knative is not the first open-source functions-as-a-service effort that IBM has backed. Back in 2016, IBM announced the OpenWhisk effort, which is now run as an open-source project at the Apache Software Found.How Google Is Improving Kubernetes Container Security — "We go beyond what's in open source and put additional restrictions in place to secure users"Demystifying Kubernetes CVE-2018-1002105 — With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection.The silent CVE in the heart of Kubernetes apiserverCrossplane: An Open Source Multicloud Control Planesecurity.christmas — This year we will prepare you for the Christmas celebration, by giving you small presents of knowledge every day, which will teach you about

We break down Firecracker Amazon’s new open source kvm powered, virtual machine monitor, and explore what makes it different from the options on the market now. Plus some good news for OpenBGP and the wider internet community, and a handy tool for inspecting docker images.Links:Firecracker – Lightweight Virtualization for Serverless Computing — Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant containers and functions-based services.Firecracker — Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant containers and functions-based services.Firecracker Design DocsFirecracker RoadmapQEMU — QEMU is a generic and open source machine emulator and virtualizer.Qemu : Security vulnerabilitiesVENOM Vulnerability — VENOM, CVE-2015-3456, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host.s2n — s2n is a C99 implementation of the TLS/SSL protocols that is designed to be simple, small, fast, and with security as a priority.OpenBGPD - Adding Diversity to the Route Server Landscape — Thanks to the RIPE NCC Community Project Fund we were able to revive the OpenBGPD daemon and bring more diversity to the Route Server landscape.OpenBGPD — OpenBGPD is a FREE implementation of the Border Gateway Protocol, Version 4. It allows ordinary machines to be used as routers exchanging routes with other systems speaking the BGP protocol.<a ti

WireGuard has a lot of buzz around it and for many good reasons. We’ll explain what WireGuard is specifically, what it can do, and maybe more importantly, what it can’t.Special Guest: Jim Salter.Links:How to easily configure WireGuard — At its core, all WireGuard does is create an interface from one computer to another.Jessie Frazelle's Blog: Installing and Using Wireguard, obviously with containers — What is cool about Wireguard is it integrates into the Linux networking stack.WireGuard Didn't Make it To The Mainline Linux Kernel This Cycle — The code continues to be improved upon but looks like it came up just short of making it into this current development cycle. WireGuard VPN review: A new type of VPN offers serious advantages — Fewer lines of code, simpler setup, and better algorithms make a strong case. The Current Status of WireGuard VPNs - Are We There Yet?Using a free VPN? Why not skip the middleman and just send your data to President Xi?Feedback from CodyNRE Labs — NRE Labs is a no-strings-attached, community-centered initiative to bring the skills of automation within reach for everyoneIntroduction to Antidote — Antidote is an open-source project aimed at making automated network operations more accessible with fast, easy and fun learning.StackStorm — From simple if/then rules to complicated workflows, StackStorm lets you automate DevOps your way.<a title="wireguard-private-networking: B

Wes is joined by special guest Jim Salter to discuss Google's recent BGP outage and the future of HTTP. Plus the latest router botnet, why you should never go full UPnP, and the benefits of building your own home router.Special Guest: Jim Salter.Links:Google goes down after major BGP mishap routes traffic through China — Google lost control of several million of its IP addresses for more than an hour on Monday in an event that intermittently made its search and other services unavailable to many users.Internet Vulnerability Takes Down GoogleChina has been 'hijacking the vital internet backbone of western countries'RPKI - The required cryptographic upgrade to BGP routingHTTP/3 — The protocol that's been called HTTP-over-QUIC for quite some time has now changed name and will officially become HTTP/3.HTTP/3: Come for the speed, stay for the securityThe Road to QUICBotnet pwns 100,000 routers using ancient security flaw — Researchers have stumbled on another large botnet that’s been quietly hijacking home routers while nobody was paying attentionBCMPUPnP_Hunter: A 100k Botnet Turns Home Routers to Email SpammersFrom Zero to ZeroDay Journey: Router Hacking<a title="The Ars guide to building a Linux r

We explain what eBPF is, how it works, and its proud BSD production legacy. eBPF is a technology that you’re going to be hearing more and more about. It powers low-overhead custom analysis tools, handles network security in a containerized world, and powers tools you use every day.Links:Chris Goes to MeetBSD​Linus Torvalds talks about coming back to work on Linux | ZDNet — BPF has actually been really useful, and the real power of it is how it allows people to do specialized code that isn't enabled until asked for.The Kernel Report - Jonathan CorbetBPF - the forgotten bytecode — All this changed in 1993 when Steven McCanne and Van Jacobson published the paper introducing a better way of filtering packets in the kernel, they called it "The BSD Packet Filter" (BPF)The BSD Packet FiltereBPF: Past, Present, and Future — The Extended Berkeley Packet Filter, or eBPF, has rapidly been adopted into a number of Linux kernel systems since its introduction into the Linux kernel in late 2014. Understanding eBPF, however, can be difficult as many try to explain it via a use of eBPF as opposed to its design. Indeed eBPF's name indicates that it is for packet filtering even though it now has uses which have nothing to do with networking.Using eBPF in Kubernetes — Cilium is a networking project that makes heavy use of eBPF superpowers to route and filter network traffic for container-based systems. By using eBPF, Cilium can dynamically generate and apply rules—even at the device level with XDP—without making changes to the Linux kernel itselfWhy is the kernel community replacing iptables with BPF? — The Linux kernel community recently announced bpfilter, which will replace the long-standing in-kernel implementation of iptables with high-performance network filtering powered by Linux BPF, all while guarant

We bring in Amy Marrich to break down the building blocks of OpenStack. There are nearly an overwhelming number of ways to manage your infrastructure, and we learn about one of the original tools. Plus a few warm up stories, a war story, and more.Special Guest: Amy Marrich.Links:James Stanley - Someone used my IPFS gateway for phishingScaling Engineering Teams via Writing Things Down and Sharing — I have recently been talking at small and mid-size companies, sharing engineering best practices I see us use at Uber, which I would recommend any tech company adopt as they are growing. The one topic that gets both the most raised eyebrows, as well the most "aha!" moments is the one on how the planning process for engineering has worked since the early years of Uber.Say hello to Kata Containers — Kata Containers bridges the gap between traditional VM security and the lightweight benefits of traditional Linux containers.Disappearing videos and disappointed grandmothers — Here's another story about broken things with some of the details changed just a little. If it sounds familiar, it's probably because your company also did it at some point.

We bring on our Google Cloud expert and explore the fundamentals, demystify some of the magic, and ask what makes Google Cloud different. Plus how Google hopes Roughtime will solve one of the web’s biggest problems, some great emails, and more!Special Guest: Matt Ulasien.Links:Cloudflare Embraces Google Roughtime, Giving Internet Security a Boost — The internet infrastructure firm Cloudflare will now support a free timekeeping protocol known as Roughtime, which helps synchronize the internet's clocks and validate timestamps.Roughtime: Securing Time with Digital Signatures — Roughtime lacks the precision of NTP, but aims to be accurate enough for cryptographic applications, and since the responses are authenticated, man-in-the-middle attacks aren’t possibleGoogle Cloud rolls out security feature for container images — All container images built using Cloud Build, Google's fully-managed CI/CD platform, will now be automatically scanned for OS package vulnerabilitiesTweets by Matthew Ulasien (@mulasien)Google Cloud Weekly | 10.03.2018Matthew Ulasien - QuoraGoogle Certified Professional Cloud ArchitectFeedback: Can't Even Google This One!Feedback: The Button Pusher ProblemFeedback: Can I monitor that?PingdomSite24x7prometheus/blackbox_exporter: Blackb

Kubernetes expert Will Boyd joins us to explain the top 3 things to know about Kubernetes, when it’s the right tool for the job, and building highly available production grade clusters. Plus the privacy improvements that could be coming to HTTPS, and a new SSH auditing tool hits the open source scene. Special Guest: Will Boyd.Links:Open Sourcing HASSH — HASSH is a network fingerprinting standard invented within the Detection Cloud team at Salesforce.ESNI: A Privacy-Protecting Upgrade to HTTPS — Today, Cloudflare is announcing a major step toward closing this privacy hole and enhancing the privacy protections that HTTPS offers. Cloudflare has proposed a technical standard for encrypted SNI, or “ESNI,” which can hide the identities of the sites you visit—particularly when a large number of sites are hosted on a single set of IP addressesWhat's new in Kubernetes 1.12?Kubernetes the Hard Way — Kubernetes The Hard Way guides you through bootstrapping a highly available Kubernetes cluster with end-to-end encryption between components and RBAC authentication.Install MinikubeCreating a single master cluster with kubeadm10 open-source Kubernetes tools for highly effective SRE and Ops TeamsClonezilla — Clonezilla is a partition and disk imaging/cloning program similar to True Image or Norton Ghost.

Jon the Nice Guy joins Wes to discuss all things IPFS. We'll explore what it does, how it works, and why it might be the best hope for a decentralized internet. Plus, Magecart strikes again, Alpine has package problems, and why you shouldn't trust Western Digital's MyCloud. Special Guest: Jon Spriggs.Links:GovPayNow.com Leaks 14M+ Records — Government Payment Service Inc. has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.Magecart claims another victim in Newegg merchant data theft — Researchers from RiskIQ, together with Volexity, revealed that California-based retailer Newegg is the latest well-known merchant to succumb to the threat actors.RiskIQ: Another Victim of the Magecart Assault EmergesPassword bypass flaw in Western Digital My Cloud drives puts data at risk — A security researcher has published details of a vulnerability in Western Digital’s My Cloud devices, which could allow an attacker to bypass the admin password on the drive, gaining complete control over the user’s data.WD MyCloud Metasploit ExampleCloudflare goes InterPlanetary — Today we’re excited to introduce Cloudflare’s IPFS Gateway, an easy way to access content from the InterPlanetary File System (IPFS) that doesn’t require installing and running any special software on your computer.End-to-End Integrity with IPFS — This post describes how to use Cloudflare's IPFS gateway to set up a website which is end-to-end secure, while maintaining the performance and reliability benefits of being served from Cloudflare’s edge network.How permanent is data stored on IPFS?<a title="Lesson: Add Content to IPFS and Retrieve It · Decentralize

TechSNAP progenitor and special guest Allan Jude joins us to talk mobile security, hand out some SSH tips and tricks, and discuss why security shaming works so well. Plus, how Mozilla is protecting their GitHub repos, a check-in on Equifax, and some great picks.Special Guest: Allan Jude.Links:Protecting Mozilla’s GitHub Repositories from Malicious ModificationBritish Airways: Suspect code that hacked fliers 'found'A year later, Equifax lost your data but faced little falloutSecurity Implications of SSH Forwardingsshd_config manualSSH Chaining (for jumphosts)Troy Hunt posts a blog where he argues in favour of publicly shaming companies for bad securityYour phone is NOT your passwordSelect Star SQL: an interactive book which aims to be the best place to learn SQLSource Of Evil – A Botnet Code Collectionxsv: A fast CSV command line toolkit written in Rust

We’re joined by a special guest to discuss the failures of campaign security, the disastrous consequences of a mismanaged firewall, and the suspicious case of Speck. Plus the latest vulnerabilities in Wireshark and OpenSSH, the new forensic hotness from Netflix, and some great introductions to cryptography. Special Guest: Martin Wimpress.Links:I’m teaching email security to Democratic campaigns. It’s as bad as 2016.Botched CIA Communications System Helped Blow Cover of Chinese AgentsNSA-Designed Speck Algorithm to Be Removed From Linux 4.20Vulnerability Affects All OpenSSH Versions Released in the Past Two DecadesWireshark can be crashed via malicious packet trace filesService provider story about tracking down TCP RSTsThe case of the 500-mile emailDiffy: A cloud-centric triage tool for digital forensics and incident responseAn intensive introduction to CryptographyThe Manga Guide to Cryptography | No Starch Press

To make DNS more secure, we must move it to the cloud! At least that’s what Mozilla and Google suggest. We breakdown DNS-over-HTTPS, why it requires a “cloud” component, and the advantages it has over traditional DNS. Plus new active attacks against Apache Struts, and a Windows 10 zero-day exposed on Twitter.Sponsored By:Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapoceanTing: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.comiXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!Links:Firefox Nightly Secure DNS Experimental Results DNS-over-HTTPSDNS over HTTPSA cartoon intro to DNS over HTTPSDiscussion of draft-ietf-doh-dns-over-https in the IETF's DOH Working GroupHigh performance DNS over HTTPS client & serverCloudflare Resolver for FirefoxActive Attacks Detected Using Apache Struts Vulnerability CVE-2018-11776Windows 10 Zero-Day Vulnerability Exposed On TwitterNetdata: Get control of y