Is anything going on in the InfoSec arena this week? I couldn’t tell. If you have been under a rock this week I have some news for you. There are two vulnerabilities in CPU designs that essentially put everything we thought we knew about computer security on its head. Meltdown and Spectre are vulnerabilities affecting virtually all modern CPUs. I don’t think I could ever visualize a complete picture of all the vulnerable systems that are impacted. But, to put it in perspective, my first Windows PC was a used Dell something or other with a 486 DX2 66 MHz CPU I got back in 1995. If I still had it, I would not need to patch it. But, if you have a 120 MHz Intel Pentium CPU based system laying around, it’s impacted.
The blast radius of these vulnerabilities is massive. Considering that, I am making a new section of the newsletter this week dedicated to Meltdown and Spectre. The reason for this is twofold: 1) There’s so much information in this space it could be a newsletter edition all by itself. 2) You might have some fatigue from these vulnerabilities. I don’t want you to skip over other awesome things in the newsletter. Scroll down past Tools for the Meltdown and Spectre section. Stay vigilant, keep your eyes open for patches, and rest assured Linus is PISSED.
Two personal notes:
- I ran my first Kubernetes Community meeting this week (and it was awesome)! Kubernetes 1.10 is coming Wednesday, March 21st.
- I have some job news coming very soon so stay tuned to chrisshort.net.
GoCD — Open Source Continuous Delivery Server
GoCD is a continuous delivery tool supporting modern infrastructure with elastic on-demand agents and cloud deployments. With GoCD, you can easily model, orchestrate and visualize complex workflows from end to end. It’s open source, free to use and download. SPONSORED
People
Vincent Batts: An Open Source Career from KDE to OCI: Vincent is a friend, and an absolutely wonderful person. It’s awesome to see him get the recognition he deserves.
20 years of the Open Source Initiative (OSI): The ‘open source’ label itself was created at a strategy session held by members of the group that we now call the Open Source Initiative (OSI) on February 3rd, 1998 in Palo Alto, California USA.
What Would Really Happen If Russia Attacked Undersea Internet Cables
How and why we teach non-engineers to use GitHub at Thread
Taking the Certified Kubernetes Administrator Exam
Top 21 conferences for DevOps and sysadmins in 2018
What I learned in 2017 Writing Go
“Oh My God, This Is So F — -ed Up”: Inside Silicon Valley’s Secretive, Orgiastic Dark Side
Process
Docker, Inc isn’t Dead: Dylan Stamat of iron.io responded to my Docker Inc is Dead story. I’m not quite sure Dylan’s response is outright disproving anything I wrote (it might actually reinforce it) but, it’s interesting to see opposing opinions.
The evolution of Fastly’s Open Source and Nonprofit Program: supporting an ethical and open internet
The Limitations of Chaos Engineering: It’s evident that Chaos Engineering has become a technology trend, with more and more companies adopting it.
Creative ways to encourage the integration of DevOps processes
Selecting a Cloud Provider by Etsy
The future of DevOps is mastery of multi-cloud environments
It’s 2018 and your Docker containers need to be secure
Tools
The DevOps Glossary: Whether you’re new to the world of DevOps or a seasoned guru looking to brush up on pesky terminology, look no further. This glossary covers some of the core definitions you and your team need to know.
Staging endpoint for ACME v2: The Let’s Encrypt wildcard certs are coming.
7 systems engineering and operations trends to watch in 2018
9 New Programming Languages To Learn In 2018
Top 5: Best of 2017, the future of DevOps, and more
Get Started with Spinnaker on Kubernetes: A walkthrough on how to run Spinnaker on Minikube.
A Brief History of sed: Their story is interesting, not least because it can’t be told without mentioning many acknowledged giants of computer science. It’s especially interesting when you interpret it in the context of all the other emerging parts of the nascent UNIX ecosystem that were also in motion at the time.
Kubernetes, OpenShift build hybrid cloud outside Silicon Valley
These Kubernetes developments make the platform ripe to explode in 2018
kubernetes-incubator/kube-arbitrator: kube-arbitrator provides policy based resource sharing for a Kubernetes cluster.
samoshkin/docker-letsencrypt-certgen: Docker image allowing to generate, renew, revoke RSA and/or ECDSA SSL certificates from LetsEncrypt CA using certbot and acme.sh clients in automated fashion.
khenidak/dysk: Dysk mounts Azure disks as Linux block devices directly on VMs without dependency on the host. Dysks can be used within Azure VMs or on-prem machines.
alexellis/mine-with-docker: This repository contains Docker images that lets you get from zero to mining in around 5 minutes on any Linux host anywhere.
Meltdown and Spectre
Intel’s CEO reportedly sold shares after the company already knew about massive security flaws
Nearly Every Computer Made Since 1995 Is Dangerously Flawed. Here’s What You Need to Know. (I tech reviewed this article before it was published)
“Meltdown” and “Spectre”: Every modern processor has unfixable security flaws
Apple Says All Macs, iPhones and iPads Exposed to Chip Security Flaws
An Update on AMD Processor Security
Processor Speculative Execution Research Disclosure via AWS
A collection of Meltdown/Spectre postings via LWN.net
Addressing Meltdown and Spectre in the kernel via LWN.net
Guide to Meltdown / Spectre CPU Vulnerabilities via Packet
Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown: “Both vulnerabilities exploit performance features (caching and speculative execution) common to many modern processors to leak data via a so-called side-channel attack. Happily, the Raspberry Pi isn’t susceptible to these vulnerabilities, because of the particular ARM cores that we use.”
How a researcher hacked his own computer and found ‘worst’ chip flaw
Intel Issues Updates to Protect Systems from Security Exploits
Mitigations landing for new class of timing attack via Mozilla
Initial Benchmarks Of The Performance Impact Resulting From Linux’s x86 Security Changes
Intel facing multiple class action suits over chip security flaw: As you can imagine, Linus is not the only one pissed about Meltdown and Spectre.
Why Intel x86 must die: Our cloud-centric future depends on open source chips
dig +short txt istheinternetonfire.com
DevOps’ish Tweet of the Week
Fun new game this week: Figure out if your Chrome CPU usage is so high because of a JavaScript cryptominer delivered through a compromised ad, or if someone is dumping your kernel memory with JavaScript delivered through a compromised ad.
— SwiftOnSecurity (@SwiftOnSecurity) January 4, 2018