cron.weekly issue #87: OutlawCountry, MOTD, NSA, systemd, Kubernetes, spoilerwall, Dexter, GPG & more

cron.weekly is a newsletter about Linux, open source & webdevelopment. Want to get it in your inbox every Sunday? Subscribe below!

I respect your privacy and you won't get spam. Ever. Just a weekly-ish newsletter about Linux and open source.
Image of Mattias Geniar

Mattias Geniar, July 02, 2017

Follow me on Twitter as @mattiasgeniar

Welcome to cron.weekly issue #87 for Sunday, July 2nd, 2017.

There are some security issues regarding systemd you should be aware of if you’re running Ubuntu, WikiLeaks publishes some NSA tools explicitly aimed at targeting Linux and recent Intel CPU’s appear to have broken Hyper-Threading.

So, have a great Sunday folks! 😀


How a 20-year old kernel feature helped USDS improve VA’s network

There’s a lot of nitty gritty details in here about time keeping and persistent TCP connections that get randomly dropped by a CISCO endpoint. Just goes to show that even the basics of TCP can surprise you.

Open Source Friday

What are you doing next Friday? This site aims to get you motivated and up-and-running with your first pull request to an open source project.

Full Stack Fest 2017: Problems of today, wonders from the future.

Are you a curious mind? Full Sack Fest is a week-long conference based in the amazing city of Barcelona that peeks into the web of tomorrow! Serverless, Blockchain, WebVR, Distributed Web, Progressive Web Apps… Come and see. Early bird tickets available! Use CRONWEEKLY to get 10% off! (Sponsored)

New CIA leaks target Linux specifically: OutlawCountry

WikiLeaks published a new set of CIA hacking tools, this time focussing specifically on the Linux operating system, called OutlawCountry. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator.

Ubuntu’s MOTD shows advertising

Yuk. Ubuntu’s Message of the Day (MOTD) has been noted to show ads for a TV series that happens to use Ubuntu (which they wanted to highlight).

Is it unethical for me to not tell my employer I’ve automated my job?

What if … you automated your entire job with a set of scripts and programs, but didn’t tell anyone? Heavy discussions going on in this thread. 🙂

VIM Adventures

A browser-based adventure game to teach you how to use VIM. Very cleverly done and it even looks good!

Intel Skylake/Kaby Lake processors: broken hyper-threading

Unfixed Skylake and Kaby Lake processors could, in some situations, dangerously misbehave when hyper-threading is enabled. This post contains info on how to detect & mitigate the problem.

Systemd DNS vulnerability in Ubuntu

Users of Ubuntu 16.10 or 17.04 will want to update their systemd packages, as systemd-resolved could be made to crash or run programs if it received a specially crafted DNS response. Red Hat or CentOS are unaffected.

NSA opens GitHub page

With all their code and tools already being released by WikiLeaks Shadow Brokers, they might as well open source it themselves too, right? 😉 But all kidding asides, there are some good looking projects on their page like a Certificate Authority monitoring project, a VPN service, host integrity tools, …

Tools & Projects

Datadog: all your infrastructure, in one place

Track & alert on the health and performance of every server, container, and app in any environment, with Datadog. Sign up for a free 14-day trial(Sponsored)


Shuts down a TCP connection on Linux or macOS. Local and remote endpoint arguments can be copied from the output of ‘netstat -lanW’.

Kubernetes 1.7

A new milestone for the Kubernetes project with its 1.7 launch: a big focus on security, storage and extensibility features.

Apache RocketMQ

Apache RocketMQ is a distributed messaging and streaming platform with low latency, high performance and reliability, trillion-level capacity and flexible scalability.


Decrypts and logs a process’s SSL traffic. The functionality offered by ssl_logger is intended to mimic Echo Mirage’s SSL logging functionality on Linux and macOS.


mkosi stands for Make Operating System Image, and is a tool for precisely that: generating an OS tree or image that can be booted.


This package provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another.


Spoilerwall introduces a brand new concept in the field of network hardening. Avoid being scanned by spoiling movies on all your ports!

Eternal Terminal

Inspired by SSH, Mosh and autossh, Eternal Terminal (ET) is a remote shell that automatically reconnects without interrupting the session.


There’s a lot of code and tools in this repo aimed at testing and breaking the IPv6 protocol. If you’re into networking or security, you’ll find something in there you’ll like.


CloudBoost is the complete serverless platform for your app. Think of CloudBoost as Parse + Firebase + Algolia + all combined into one.

Guides & Tutorials

A step by step guide to model deployment pipeline

This blog series uses a simple application as an example to guide you on building deployment pipelines. Following it, you will get an in-depth understanding of continuous delivery and also hands-on practices of deployment pipeline modeling. Check it out here. (Sponsored)

Unicorn Unix Magic Tricks

This post contains lots of good insights into how the Unicorn webserver (written in Ruby) handles its master/worker architecture and how you can work with it to troubleshoot & make it more effective.

Docker Security Best Practices

A decent listing of tools & methods you can use to help secure your Docker installation, by verifying images, Docker Bench, Content Trust, …

Introducing Dexter, the Automatic Indexer for Postgres

Dexter collects PostgreSQL queries, analyses them and creates new indexes to make them more performant.

Using a GPG key for SSH Authentication

Besides a good intro into both PGP and SSH public keys, this also does a stellar job explaining how you can use a GPG key for your SSH logins, too.

Test from shell script if remote TCP port is open

Lots of good tips in this post, including a pure Bash implementation to test if a remote or local TCP port is open, by making use of /dev/tcp/$ip/$port. Very powerful!

Notes on BPF & eBPF

This post includes slides of a presentation on BPF (the BSD Packet Filter) and lots of notes from the talk itself. If you’re interested in the next big thing in packet capturing (think tcpdump etc.), have a read.

Container isolation gone wrong

A heavy debugging tale with sysdig to find the root cause of a Docker container isolation problem, where one container managed to influence the performance of another, despite both having resource constraints configured. Lots of practical commands & output in this post.

Running Steam in a systemd-nspawn container

Systemd has built-in container managed called systemd-nspawn. This post explains how you can run Steam (or any program, for that matter) inside a systemd-nspawn container. This post should get you started running pretty much anything inside a container.

Explain like I’m 5: Kerberos

A very good explanation on the Kerberos protocol, with enough visual material to make it understandable too.

IPv4 route lookup on Linux

This post starts easy but went way over my head very quickly. An insanely detailed guide on how an IP lookup happens on a Linux machine, from route tables to hashing algorithms to netmask calculations, all while testing both CPU and memory performance and impact.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.