Mon blog-notes à moi que j'ai

Blog personnel d'un sysadmin, tendance hacker

Compilation veille Twitter & RSS #2016-35

La moisson de liens pour la semaine du 29 août au 2 septembre 2016. Ils ont, pour la plupart, été publiés sur mon compte Twitter. Les voici rassemblés pour ceux qui les auraient raté.

Bonne lecture

Security & Privacy

Thoughts on the « physically secure » ORWL computer
Several people, including some computer journalists, have asked me recently for an opinion on ORWL - « The First Open Source, Physically Secure Computer ». Below I provide a quick review of some of the features they boast about on their crowdfunding page (linked above and quoted below), then jump into more general conclusions and advice.
Trusted Mobile Device: How hard could it be?
I bought a new phone. After my experiences with signal and the helpful comments readers gave regarding the ability to run android and signal without Google Play using microg I thought I would give it a shot.
Thwarting SQL Injection: Defense in Depth
SQL as a language is vulnerable to injection attacks because it allows mixing of instructions and data, which attackers can conveniently exploit to achieve their nefarious objectives.
Security Best Practices for Kubernetes Deployment
Kubernetes provides many controls that can greatly improve your application security. Configuring them requires intimate knowledge with Kubernetes and the deployment’s security requirements. The best practices we highlight here are aligned to the container lifecycle: build, ship and run, and are specifically tailored to Kubernetes deployments. We adopted these best practices in our own SaaS deployment that runs Kubernetes on Google Cloud Platform.
ASIACCS – StemJail : le cloisonnement simplifié pour la sécurité d’un poste de travail
Mickaël Salaün, chercheur à l’ANSSI, a présenté ses dernières recherches, menées avec Marion Daubignard, en matière de cloisonnement de sécurité d’un poste de travail à l’occasion de l’ACM Asia Conference on Computer and Communications Security (ou ASIACCS) organisé à Xi’an (Chine) en juin dernier.
The Hunt for Lurk
In early June, 2016, the Russian police arrested the alleged members of the criminal group known as Lurk. The police suspected Lurk of stealing nearly three billion rubles, using malicious software to systematically withdraw large sums of money from the accounts of commercial organizations, including banks. For Kaspersky Lab, these arrests marked the culmination of a six-year investigation by the company’s Computer Incidents Investigation team. We are pleased that the police authorities were able to put the wealth of information we accumulated to good use: to detain suspects and, most importantly, to put an end to the theft. We ourselves gained more knowledge from this investigation than from any other. This article is an attempt to share this experience with other experts, particularly the IT security specialists in companies and financial institutions that increasingly find themselves the targets of cyber-attacks.
RFC 7914: The scrypt Password-Based Key Derivation Function
Ce RFC normalise la fonction de dérivation de clé scrypt.
À quoi ça sert, une fonction de dérivation de clé? Comme leur nom l’indique, elles permettent d’obtenir des clés cryptographiques (ou autre matériel cryptographique) à partir des données qu’on leur fournit. Une utilisation courante est de fabriquer une clé pour un algorithme de chiffrement, à partir d’une phrase de passe. Cela permet d’obtenir une clé (longueur fixe, format donné) pour les opérations cryptographiques tout en laissant l’utilisateur manipuler uniquement des textes mémorisables. Par exemple, pour chiffrer un disque dur, l’utilisateur va indiquer une phrase de passe, mais le disque sera chiffré à partir de la clé obtenue en appliquant la fonction de dérivation de clé (KDF, pour Key Derivation Function) à cette phrase. Une autre utilisation est pour transformer un mot de passe qu’on doit stocker dans un fichier en une information inutilisable pour un attaquant qui mettrait la main dessus. Pour se connecter, on tape le mot de passe, on refait tourner la KDF et on vérifie qu’on obtient bien le résultat stocké.
Le complexe militaro industriel de défense des libertés sur Internet
Andy est un des membres historiques du club des hackeurs allemands, le CCC, figure de proue dans l’information, la formation et l’activisme dans les domaines des technologies informatique et Internet. Défendant la protection des données personnelles des citoyens depuis 1995 avec le Datenreisebüro, il a fait en mai 2016 une conférence au THSF, le rendez-vous annuel de hackeurs à Toulouse.
Considerations on DMZ Design in 2016, Part 1
I’m currently involved in a « DMZ Redesign » effort in a sufficiently large enterprise (800+ hosts in « the DMZ ») and I thought this might be an opportunity to reflect on some aspects of « DMZ networks » in a series of posts.
Inside ‘The Attack That Almost Broke the Internet’
In March 2013, a coalition of spammers and spam-friendly hosting firms pooled their resources to launch what would become the largest distributed denial-of-service (DDoS) attack the Internet had ever witnessed. The assault briefly knocked offline the world’s largest anti-spam organization, and caused a great deal of collateral damage to innocent bystanders in the process. Here’s a never-before-seen look at how that attack unfolded, and a rare glimpse into the shadowy cybercrime forces that orchestrated it.
Stop Cross-Site Timing Attacks with SameSite cookies
Let’s say we have a client that can initiate a network request for any URL on the web but the response is opaque and cannot be inspected. What could we learn about the client or the response? As it turns out, armed with a bit of patience and rudimentary statistics, « a lot ».

System Engineering

Netflix Data Benchmark: Benchmarking Cloud Data Stores
The Netflix member experience is offered to 83+ million global members, and delivered using thousands of microservices. These services are owned by multiple teams, each having their own build and release lifecycles, generating a variety of data that is stored in different types of data store systems. The Cloud Database Engineering (CDE) team manages those data store systems, so we run benchmarks to validate updates to these systems, perform capacity planning, and test our cloud instances with multiple workloads and under different failure scenarios. We were also interested in a tool that could evaluate and compare new data store systems as they appear in the market or in the open source domain, determine their performance characteristics and limitations, and gauge whether they could be used in production for relevant use cases. For these purposes, we wrote Netflix Data Benchmark (NDBench), a pluggable cloud-enabled benchmarking tool that can be used across any data store system. NDBench provides plugin support for the major data store systems that we use – Cassandra (Thrift and CQL), Dynomite (Redis), and Elasticsearch. It can also be extended to other client APIs.
Serializability and Distributed Software Transactional Memory with etcd3
The new etcd3 API introduces powerful new primitives that advance the system’s capabilities beyond the limits of etcd2. As part of evaluating the effectiveness of etcd3, we spent considerable effort developing distributed concurrency algorithms using the new API.
The cat-and-mouse story of implementing anti-spam for Mail.Ru Group’s email service and what Tarantool has to do with this
In this article, I’d like to tell you a story of implementing the anti-spam system for Mail.Ru Group’s email service and share our experience of using the Tarantool database within this project: what tasks Tarantool serves, what limitations and integration issues we faced, what pitfalls we fell into and how we finally arrived to a revelation.
(Re)Introducing Edgestore
Edgestore is the metadata store that powers many internal and external Dropbox services and products. We first talked about Edgestore in late 2013 and needless to say, much has happened since.
In this post, we give a high-level overview of the motivation behind Edgestore, its architecture, salient features and how it’s being used at Dropbox. We’ll be doing a deep-dive on various aspects of Edgestore in subsequent posts.
C’est quoi un système de fichiers?
Merci Djerfy de m’avoir encore donné une idée à me donner un mal de crâne, trouver les mots justes pour vous introduire au merveilleux monde du stockage de données en ce dimanche toujours chaud, et plus particulièrement d’un élément primordial, le système de fichiers. En effet, nos données numériques sont devenues centrales de nos jours, aussi bien pour nous que les sociétés qui se font du beurre dessus. Plongée dans un univers qui se retrouve jusque dans vos poches.
I wrote my first Mojolicious web app yesterday, a cloud-init meta-data server to enable running pre-built VM images (e.g. as provided by debian, ubuntu, etc) without having to install and manage a complete, full-featured cloud environment like openstack.
Why conntrackd in Debian is better with systemd
There has been some discussion around my decision to drop sysvinit support in the conntrackd package in Debian (version 1:1.4.4-2).
Serverless architectures: game-changer or a recycled fad?
If there was a bestseller chart for buzzwords, Serverless would currently be at the top. The interwebs are full of heated debates on how it’s the hottest new thing since the Sun, and rebuttals that it’s just a return to old two-tier architectures. The only thing attracting more controversy than the technology is the name. Twitter is buzzing with sarcastic comments about how serverless involves more servers than ever. There are ideas to stop talking about serverless and start talking about servicefull, then there’s also a half-serious proposal to rename the whole thing to Jeff.
High‑Performance Caching with NGINX and NGINX Plus
Welcome to our latest webinar; my name is Andrew. NGINX was written by Igor Sysoev with the idea of helping the world’s websites run faster, be more responsive, and be easily scalable. Today, NGINX powers over 30% of the top sites and over 20% of all websites on the Internet. [Editor – These statistics applied when the webinar was delivered in May 2014.] I’m hoping you will find the content of this webinar useful and applicable to your existing or planned NGINX environment.
Now allow me to introduce Owen Garrett to you. Owen is responsible for the product development here at NGINX. Today, Owen is going to talk about how can you apply powerful caching mechanisms in NGINX to free your application from the burden of generating repetitive content over and over again.


Basic site monitoring with Riemann
Riemann is a general-purpose event processing system, but its most typical application is as a place to send and generate metrics about applications. I recently set up a Riemann server for my personal projects, and I feel like my devops game is stepped up by 1000%.
Or, at very least, I feel like I know know about it as soon as one of my sites goes down.
DANE and DNSSEC Monitoring
At this year’s FrOSCon I repeted my presentation on DNSSEC. In the audience, there was the suggestion of a lack of proper monitoring plugins for a DANE and DNSSEC infrastructure that was easily available. As I already had some personal tools around and some spare time to burn I’ve just started a repository with some useful tools. It’s available on my website and has mirrors on Gitlab and Github. I intent to keep this repository up-to-date with my personal requirements (which also means adding a xmpp check soon) and am happy to take any contributions (either by mail or as « pull requests » on one of the two mirrors). It currently has smtp (both ssmtp and starttls) and https support as well as support for checking valid DNSSEC configuration of a zone.
Audit Trail Dashboard with CloudBees Jenkins Analytics
Analytics is an important feature of the CloudBees Jenkins Platform. Elasticsearch is used to index build and performance data of CloudBees Jenkins Enterprise masters that are connected to CloudBees Jenkins Operations Center (and optionally index data from CloudBees Jenkins Operations Center as well), and display that information via a set of built-in Kibana dashboards. However, your are not limited to the provided dashboards and may modify them or create completely new dashboards. Kibana is exposed via the CloudBees Jenkins Operations Center Analytics Dashboard Creator link, allowing you to customize existing dashboards or create new ones. In this post, I will walk you through the process of creating a custom Kibana dashboard for a very specific use case - a Jenkins Audit Trail dashboard.
Monitoring of Monitoring
I was recently asked to get data from a computer that controlled security cameras after a crime had been committed. Due to the potential issues I refused to collect the computer and insisted on performing the work at the office of the company in question. Hard drives are vulnerable to damage from vibration and there is always a risk involved in moving hard drives or systems containing them. A hard drive with evidence of a crime provides additional potential complications. So I wanted to stay within view of the man who commissioned the work just so there could be no misunderstanding.

Software Engineering

How Uber Engineering Massively Scaled Global Driver Onboarding
Here’s the behind-the-scenes story about how Uber Engineering’s Driver Team continues to develop our virtual onboarding funnel to get hundreds of thousands of driver-partners on the road earning money with Uber.
BrowserLab: Automated regression detection for the web
Several years ago, Facebook was largely rendered server-side, and there was only a small amount of JavaScript on the site. To understand loading time, we could apply simple tools that focused solely on server performance. Today, we face very different challenges. Facebook has become increasingly interactive, which has motivated the transition to powerful client-side rendering frameworks like React. Time spent in browser rendering and scripting has grown to become a major bottleneck in loading — at the beginning of 2016, we found that the majority of load time was spent on the client. To solve this problem, we set out to build a system capable of detecting changes in performance that can run on any commit to automatically prevent client regressions from shipping to production.
Managing Private Dependencies with Bundler
Bundler is a great resource for managing dependencies in your Ruby projects. It helps verify compatible versions between each of your gem dependencies as well as create a version lock file. This guarantees that everyone who uses that same project will be working with the same gem versions that worked for you.
Lambda et serverless, vers l’infini et au delà
Depuis quelques temps déjà on entend de plus en plus parler de serverless, d’Amazon Lambda, de FaaS (Function as a Service). Et en petit à petit on voit des comparatifs (en général sur les aspects financiers) pour mettre en relation ces nouvelles possibilités face aux infrastructures plus classiques genre machines virtuelles EC2 (pour rester chez Amazon). De ce que j’en ai lu ces comparatifs se trompent quasiment tous sur l’intérêt des Lambda et voici pourquoi.
Writing Maintainable Integration Tests
In software development, writing integration tests is sometimes an afterthought. Many people think exclusively in terms of unit tests, and perhaps many more don’t think about automated tests at all. Thus, the very idea of writing integration tests that are maintainable, manageable, and scalable may seem foreign to most.
Microservices: Real Architectural Patterns
I’m fascinated by the lore and mystery behind microservices. As a concept, microservices feels like one of the most interesting folk architectures of the modern era. It’s useful enough to be applied widely across different usage patterns and also vague enough to mean many different things.
À quoi peut bien servir la chaîne de blocs?
Tous les jours, plusieurs articles apparaissent dans les médias pour expliquer que la chaîne de blocs (blockchain dans la langue de Satoshi Nakamoto) va résoudre encore un nouveau problème. Pour le non-spécialiste, il n’est pas évident de faire la part du réel et du fantasme dans toutes ces applications de la chaîne de blocs. C’est en pensant à ce non-spécialiste que j’ai écrit cet article : peu ou pas de technique, juste une exploration des choses où la chaîne de blocs est vraiment utile, par rapport à celles où elle n’a pas d’intérêt.

Web performances

Performance Metrics 101: Page Size (Total Downloaded Bytes)
This blog will be a series of posts that will discuss some of the most important performance metrics. We will analyze real-time data and compare the top performing websites with those at the lower end of the spectrum. Best practices will be discussed in detail to help those who want to build websites that are optimized, without having to compromise on the design or content.
Perceived render time – You take the blue pill; you believe whatever you want!
Perception drives end-user experience. Ryan Bateman and I came across a very interesting article by Bryan Gardiner in Wired Magazine describing some of the science around waiting for a page to load. At Dynatrace we are REALLY passionate about this and got to chatting about it. We constantly talk to customers about best practices when it comes to measuring customer experience and what users perceive and Google engineer Ilya Grigorik’s presentation, Performance on Rails immediately came up. In his presentation he outlined how humans perceive things:

Databases Engineering

MySQL & MariaDB

ProxySQL Sharding
This article demonstrates how ProxySQL sharding works.
Recently a colleague of mine asked me to provide a simple example on how ProxySQL performs sharding.
In response, I’m writing this short tutorial in the hope it will illustrate ProxySQL’s sharding functionalities, and help people out there better understand how to use it.
ProxySQL is a very powerful platform that allows us to manipulate and manage our connections and queries in a simple but effective way. This article shows you how.


An Elasticsearch cheat sheet
I’m using Elasticsearch a lot, which brings me to run the same commands again and again to manage my clusters. Even though they’re now all automated in Ansible, I thought it would be interesting to share them here.


Troubleshooting Vertica Query Performance with System Tables
Do you want to learn how to troubleshoot your query performance issues? We’ve got you covered. Just attend the Query Performance Tuning and Troubleshooting Issues session at HPE Vertica’s Big Data Conference.

Data Engineering & Analytics

Handling large data sets at scale
Millions of people search for ideas on Pinterest every day. Since launching search guides two years ago, we’re now handling two billion search queries every month. A core component of our search stack is our query rewrite service which we use to understand the query and rewrite it as needed. We do many key-value pair lookups in this service, so it’s essential that we pick the right data structures.
Apache Spark @Scale: A 60 TB+ production use case
Facebook often uses analytics for data-driven decision making. Over the past few years, user and product growth has pushed our analytics engines to operate on data sets in the tens of terabytes for a single query. Some of our batch analytics is executed through the venerable Hive platform (contributed to Apache Hive by Facebook in 2009) and Corona, our custom MapReduce implementation. Facebook has also continued to grow its Presto footprint for ANSI-SQL queries against several internal data stores, including Hive. We support other types of analytics such as graph processing and machine learning (Apache Giraph) and streaming (e.g., Puma, Swift, and Stylus).
Mettre en place KAFKA CONNECT et KAFKA pour faire du change data capture (CDC)
Je suis en train de monter un moteur d’analyse permettant d’analyser les logs d’un ESB.
L’outil standard stockes les évènements dans une base de données.
PaaStorm: A Streaming Processor
This is the fourth post in a series covering Yelp’s real-time streaming data infrastructure. Our series explores in-depth how we stream MySQL updates in real-time with an exactly-once guarantee, how we automatically track & migrate schemas, how we process and transform streams, and finally how we connect all of this into datastores like Redshift and Salesforce.

Network Engineering

History of SDN-like approaches
I stumbled across an interesting paper called The road to SDN: an intellectual history of programmable networks (ACM DL link) this morning. It’s good to place current trends in historical context especially while keeping RFC 1925 Rule 11 in mind.

Management & Organization

La checklist du nouveau développeur
Il se passe quoi quand le nouveau arrive ? Son poste sera-t-il là à temps ? Il va faire quoi ? Il s’assoie où d’ailleurs ? euh, et il arrive à quelle date exactement déjà ?
Je suis certain qu’on a tous vécu ça au moins une fois. Seule solution à ma connaissance : la liste de tâches à cocher au fur et à mesure et partager avec tous les acteurs concernés.
Recruitment mistakes: part 3
It has been a while that I have been contacted by a recruiter, and the last few ones were fairly decent conversations, where they made an effort to research me first, and even if they did not get everything right, they still listened, and we had a productive talk. But four days ago, I had another recruiter reach out to me, from a company I know oh so well: one I ranted about before: Google. Apparently, their recruiters still do carpet-bombing style outreach. My first thought was « what took them so long? » - it has been five years since my last contact with a Google recruiter. I almost started missing them. Almost. To think that Google is now powerful enough to read my mind, is scary. Yet, I believe, this is not the case; rather, it’s just another embarrassing mistake.
Les pompiers pyromanes
L’un des profils de collaborateur les plus difficiles à manager sont les « pompiers pyromanes ». Voyons à quoi on reconnait un tel profil, les dangers qu’ils peuvent représenter et les solutions qui existent pour les gérer.
7 Mistakes Companies Make When Implementing DevOps
In the last few years, DevOps has established itself as a must-have for all the most innovative companies. Many companies have adapted a continuous approach to software delivery and development, using one of many popular technologies and tools. However, the most important way to improve continuous integration strategies is to change the company’s processes by examining the frequency and scale of tests running throughout the development cycle. These tests help speed up the process by helping to identify and fix trouble spots in apps while the changes are still fresh in the developers’ minds.