Hi everyone! π
Welcome to cron.weekly issue #156.
Back after a small break, and boy have I got a big issue for you today! So much has happened in the last 2 weeks, it’s quite hard to keep up.
Sit back, buckle up, enjoy your morning βοΈ and happy reading!
News & general π
A world of ARM
Here’s a small summary of things that stood out to me in the previous weeks regarding Apple & ARM. I know many of you are reading this on an Apple device or have a development workflow that runs on Mac.
So Apple released its Apple Silicon M1 Chip, and it outperforms the fastest Intel mac they currently ship. That’s a highly optimized ARM chip outperforming Intel.
Since this is a new architecture, some problems are to be expected. For now, at least, Docker doesn’t work yet. Neither does VirtualBox.
Most tools will just work, as x86-64 can be emulated. The folks at Fortran/R have written about their experience to compile R natively for the M1 chip.
Seeing these performance improvements makes me even more excited for ARM-based servers. Lower energy consumption & higher performance? Sign me up!
Guido van Rossum joins Microsoft π¦
I decided that retirement was boring and have joined the Developer Division at Microsoft. To do what? Too many options to say! But itβll make using Python better for sure (and not just on Windows :-). Thereβs lots of open-source here. Watch this space.
From creating the Python language to joining Microsoft, quite the move!
Intent to Remove: HTTP/2 and gQUIC server push
Chromium (aka: Google Chrome browser) is intending to remove the use of HTTP/2 and the ability to do server-side push, in favor of HTTP/3.
HTTP/2 allows servers to “push” a resource that the client will likely need before the client actually requests it. The specification allows the client to reject the pushed resource at its discretion.
Chrome currently supports handling push streams over HTTP/2 and gQUIC, and this intent is about removing support over both protocols. Chrome does not support push over HTTP/3 and adding support is not on the roadmap.
Since server push is not used in the wild (“99.95% of HTTP/2 connections created by Chrome never received a pushed stream”) and wasn’t that effective (“push over HTTP/2 either does not change performance or improves performance marginally when used with certain restrictions”), Chrome is removing it altogether.
How to get root on Ubuntu 20.04 by pretending nobodyβs /home
Heads-up: there’s a pretty straightforward way to escalate privileges on Ubuntu 20.04 Desktop (requires GUI), allowing a non-root user to create a user with admin-level privileges.
Let’s Encrypt to start signing certs with own root certificate
Let’s Encrypt will start signing certificates with its own root certificate, ISRG Root X1. It was included in the Root Certificate program in 2016, but there are still plenty of devices online that haven’t received updates since then (#TheHorror).
Currently, 66.2% of Android devices are running version 7.1 or above. The remaining 33.8% of Android devices will eventually start getting certificate errors when users visit sites that have a Letβs Encrypt certificate. In our communications with large integrators, we have found that this represents around 1-5% of traffic to their sites. Hopefully these numbers will be lower by the time DST Root X3 expires next year, but the change may not be very significant.
They’ll start issueing certificates based on their own root as of January 11, 2021.
Something to be aware of when you’re using Let’s Encrypt!
Chrome to start using its own Root Certificate store
The Chrome browser is going to stop using the OS-level root certificates, but instead will moderate & manage the root certificates themselves, inside the browser. The timing is still unknown, but their plan to proceed is outlined in this post.
This follows the footsteps of Firefox, who already does this. It may solve the Let’s Encrypt problem I wrote about above, as long as those old Android devices still receive Chrome updates.
EU Draft Council Declaration Against Encryption (PDF)
So this is another troublesome legislation proposal: the EU would like to ban any form of end-to-end encryption that doesn’t include a backdoor of some sorts.
Deprecating scp
The scp
tool has been deprecated, and it’ll soon stop being supported. This post gives some background to the why and looks at what tooling could replace scp
instead.
NAT Slipstreaming
This is fascinating new research: NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victim’s NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website.
Tools & Projects π
logseq
Use it to organize your todo list, to write your journals, or to record your unique life. Logseq is an open-source platform for knowledge sharing and management. It focuses on privacy, longevity, and user control.
Kubernetes security ebook - tips & tricks
Download this ebook, from StackRox, to learn how to (1) build secure images and prevent untrusted/vulnerable code, (2) configure K8s RBAC, network policies, and runtime privileges, (3) detect unauthorized runtime activity, and (4) secure your K8s control plane and node components such as the API server.
You can download this ebook now! Sponsored
gping
Gping is ping, but with a graph.
ioping
A tool to monitor I/O latency in real time. It shows disk latency in the same way as ping shows network latency.
gatus
A status page / service health dashboard written in Go that is meant to be used as a docker image with a custom configuration file. If you don’t want to self-host this kind of thing, of course give Oh Dear a try. :-)
dog
dog is an open-source DNS client for the command-line. It has colourful output, supports the DoT and DoH protocols, and can emit JSON.
Smallstep - Single Sign On SSH. Zero key mgmt
Smallstep SSH delivers an end-to-end workflow that marries modern identity providers with short-lived SSH certificates. Eliminate TOFU warnings and drop complex key approval & distribution processes. Extend single sign-on to SSH and make SSH keys ephemeral.
Give it a try, it’s free. Sponsored
22120
22120 allows you to use your browser history as a self-hosted, offline, internet.
typesense
Typesense is a fast, typo-tolerant search engine for building delightful search experiences.
influxdb 2.0
A new major version of InfluxDB, including Flux (a functional data scripting language designed for querying & analyzing), templates & stacks.
teler
teler is a real-time http intrusion detection and threat alert based on access logs. It analyzes logs and identifies suspicious activity in real-time, can send notifications via Slack/Telegram/Discord & more.
Mutt 2.0
My favorite way to test this newsletter’s TXT view has a new major version out! Nothing major actually, just some minor backwards incompatible changes that force a new major version number.
kraken
Kraken is a P2P-powered Docker registry that focuses on scalability and availability. It is designed for Docker image management, replication and distribution in a hybrid cloud environment.
ibis
This PHP tool helps you write eBooks in markdown. Run ibis build and an eBook will be generated with a cover photo, clickable auto-generated table of contents, & code syntax highlighting.
Ox editor
Ox is a fast text editor that runs in your terminal. Ox is a text editor with IDE-like features.
groot
GRoot is a static verification tool for DNS. GRoot consumes a collection of zone files along with a collection of user-defined properties and systematically checks if any input to DNS can lead to violation of the properties.
Guides & Tutorials π
Migrating Large Heroku Postgres Instances to AWS Aurora without Downtime
This articles goes into great detail for moving a multi-TB PostgreSQL database to AWS, with all the commands & configs you could need along the way.
Decrypting OpenSSH sessions for fun and profit
Very interesting: it’s possible to read the session keys OpenSSH generates from memory, and use that information to decrypt any SSH sessions that were recorded.
Postgres Observability
This is a very useful website showing all the stat & debug tooling available for PostgreSQL. The layout reminds me of the famous Brendan Gregg performance tools matrix.
Create your own smart baby monitor with a RaspberryPi and Tensorflow
This provides so much detail about using Tensorflow and “machine learning” that it’s a perfect guide to getting started. You 1) train some data (aka: label all audio samples) and then 2) use Tensorflow to analyse this data. Clever stuff!
This is how I git
A detailed write-up on how Daniel Stenberg, creator of curl/libcurl, uses git in his day-to-day life. This includes lots of code snippets with good tips & tricks.
The Most Confusing Grep Mistakes I’ve Ever Made
Yup, I’ve made just about every mistake described in this post, too.
Jobs π
IT System Admin at WebSupport
Do you want to be in charge of one of the largest infrastructures in CEE? Join us in developing online world. Working as an IT System Administrator will deepen your knowledge of OS Linux, architecture of large solutions and administration of systems that host over 160.000 domains.
Location: Bratislava, Prague
π‘ Interested in listing your job here? Get in touch!