Special Guest: Chad M. Crowell.

Links:

• Under the sea, Microsoft tests a datacenter that’s quick to deploy, could provide internet connectivity for years
• An Azure Infrastructure Year in Review
• Azure File Sync now generally available
• Microsoft's Newest OS is Based on Linux
• Azure Sphere
• What is Azure Stack?
• Azure Outage Proves the Hard Way Availability Zones are a Good Idea
• Microsoft Azure Infrastructure and Deployment on Linux Academy — In this course, we will cover an introduction to the Azure portal, followed by how to build infrastructure and deploy that infrastructure in real world scenarios.
• Chad Crowell on Twitter

Links:

• Jim Salter — Jim Salter (@jrssnet) is an author, public speaker, small business owner, mercenary sysadmin, and father of three—not necessarily in that order. He got his first real taste of open source by running Apache on his very own dedicated FreeBSD 3.1 server back in 1999, and he's been a fierce advocate of FOSS ever since.
• Jim Salter on Twitter
• Dropbox Flaws | TechSNAP | 1
• PSN Breech Details | TechSNAP 3
• 2089 Days Uptime | TechSNAP 300

Plus some good news for OpenBGP and the wider internet community, and a handy tool for inspecting docker images.

Links:

• Firecracker – Lightweight Virtualization for Serverless Computing — Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant containers and functions-based services.
• Firecracker — Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant containers and functions-based services.
• Firecracker Design Docs
• Firecracker Roadmap
• QEMU — QEMU is a generic and open source machine emulator and virtualizer.
• Qemu : Security vulnerabilities
• VENOM Vulnerability — VENOM, CVE-2015-3456, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host.
• s2n — s2n is a C99 implementation of the TLS/SSL protocols that is designed to be simple, small, fast, and with security as a priority.
• OpenBGPD - Adding Diversity to the Route Server Landscape — Thanks to the RIPE NCC Community Project Fund we were able to revive the OpenBGPD daemon and bring more diversity to the Route Server landscape.
• OpenBGPD — OpenBGPD is a FREE implementation of the Border Gateway Protocol, Version 4. It allows ordinary machines to be used as routers exchanging routes with other systems speaking the BGP protocol.
• LSI Questions from Anton
• ServeTheHome
• Sennheiser Headset Software Could Allow Man-in-the-Middle SSL Attacks — When users have been installing Sennheiser's HeadSetup software, little did they know that the software was also installing a root certificate into the Trusted Root CA Certificate store.  To make matters worse, the software was also installing an encrypted version of the certificate's private key that was not as secure as the developers may have thought.
• evilginx2: Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
• dive: A tool for exploring each layer in a docker image

Plus we discuss Let's Encrypt’s Wildcard support and explain what ACME v2 is.

Then we detail the bad position Samba 4 admins are in, and the real cause of these recent 1.7Tbps DDoS attacks.

Sponsored By:

• Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
• Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
• iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!

Links:

• Hardcoded Password Found in Cisco Software — Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password.
• Potent malware that hid for six years spread through routers — "The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor."
• CVE 2018-1057: Authenticated Samba users can change other users' password — On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers).
• CVE-2018-1057 - SambaWiki Workarounds — Revoke the change passwords right for 'the world' from all user objects (including computers) in the directory, leaving only the right to change a user's own password.
• ACME v2 and Wildcard Certificate Support is Live — We’re pleased to announce that ACMEv2 and wildcard certificate support is live!
• It just got much easier to wage record-breaking DDoSes — Within days of the new technique going public, security firms reported it being used in a record-setting 1.3 terabit-per-second DDoS against Github and then, two days later, a record-topping 1.7 Tbps attack against an unnamed US-based service provider.
• The real cause of large DDoS — All the gigantic headline-grabbing attacks are what we call "L3" (Layer 3 OSI[1]). This kind of attack has a common trait - the malicious software sends as many packets as possible onto the network.
• Project Nimble – Netflix TechBlog — We set ourselves an aggressive goal of being able to fail over traffic in less than 10 minutes.
• Follow Up: Alex has a tip for Alex
• Question: Oliver asks about a fail2ban replacement
• S3Scanner — Scan for open S3 buckets and dump
• Chromium is also a Snap

Plus new research with ideas to dramatically improve private web browsing, the growing problem of tracking security vulnerabilities with CVE’s, and much more!

Sponsored By:

• Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
• iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
• Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

• Revamp of 'Pwned Passwords' Boosts Privacy and Size of Database — In V2 of Pwned Passwords, launched last week, Hunt updated his password data set from 320 million passwords to 501 million new passwords, pulled from almost 3,000 breaches over the past year.
• Finding Pwned Passwords with 1Password — Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password.
• Troy Hunt: I've Just Added 2,844 New Data Breaches With 80M Records To Have I Been Pwned
• Apple’s China data migration includes iCloud keys, making data requests easier for authorities — Now, according to Apple, for the first time the company will store the keys for Chinese iCloud accounts in China itself. That means Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users, legal experts said.
• Microsoft’s Big Email Privacy Case Heads to the Supreme Court Tomorrow — The 2013 warrant involved a drug case, and the Justice Department asked Microsoft to turn over emails that were stored in its Ireland data center. Microsoft objected, arguing that the DoJ could not use a domestic warrant to conduct an international search and that it should instead acquire the data through a treaty process with the Irish government.
• Researchers Propose Improved Private Web Browsing System — The newly proposed system keeps all the data that the browse loads into memory encrypted until it is displayed on the screen, the researchers say. Users no longer type a URL into the browser, but access the Veil website and enter the URL there. With the help of a blinding server, the Veil format of the requested page is transmitted. 
• Nearly 8,000 Security Flaws Did Not Receive a CVE ID in 2017 — A record-breaking number of 20,832 vulnerabilities have been discovered in 2017 but only 12,932 of these received an official CVE identifier last year, a Risk Based Security (RBS) report reveals.
• What is Serverless Architecture? What are its criticisms and drawbacks? — Serverless architectures refer to applications that significantly depend on third-party services (knows as Backend as a Service or “BaaS”) or on custom code that’s run in ephemeral containers (Function as a Service or “FaaS”), the best known vendor host of which currently is AWS Lambda.
• Serverless Security: What's Left to Protect?
• OpenFaaS - Serverless Functions Made Simple — Serverless Functions Made Simple for Docker and Kubernetes
• open-lambda: An open source serverless computing platform — An open source serverless computing platform
• Iron.io - DevOps Solutions from Startups to Enterprise
• Apache OpenWhisk is a serverless, open source cloud platform
• Feedback: David's Drive Tips
• Question: Alex has BIG cloud storage requirements....
• Crostini - Linux App Containers on ChromeOS — In other words, the Crostini/Terminal feature could be to Chrome OS what the Windows Subsystem for Linux is for Windows 10: a way that developers, power users, and Linux enthusiasts can run native Linux software on a device that’s not running a traditional Linux distribution.