Links:

• TechSNAP Episode 390: What’s Up with WireGuard
• WireGuard Sent Out Again For Review — WireGuard lead developer Jason Donenfeld has sent out the ninth version of the WireGuard secure network tunnel patches for review. If this review goes well and lands in net-next in the weeks ahead, this long-awaited VPN improvement could make it into the mainline Linux 5.2 kernel.
• CloudFlare announces Warp VPN — Using Cloudflare’s existing network of servers, Internet users all over the world will be able to connect to Warp VPN through the 1.1.1.1 app. In the same vein, Warp VPN will not significantly increase battery usage by using an efficient protocol called WireGuard.
• CloudFlare Launches "BoringTun" As Rust-Written WireGuard User-Space Implementation - Phoronix — CloudFlare took to creating BoringTun as they wanted a user-space solution as not to have to deal with kernel modules or satisfying certain kernel versions. They also wanted cross platform support and for their chosen implementation to be very fast, these choices which led them to writing a Rust-based solution.
• cloudflare/boringtun — BoringTun is an implementation of the WireGuard® protocol designed for portability and speed.
• VPN protocol WireGuard now has an official macOS app — You can already download the WireGuard app on Android and iOS, but today’s release is all about macOS.
• WireGuard Windows Pre-Alpha — I've been mostly absent these last weeks, due to being completely absorbed in Windows programming. I think we're finally getting to the state where we might really benefit from testing of the "pre-alpha".
• Wintun – Layer 3 TUN Driver for Windows — Wintun is a very simple and minimal TUN driver for the Windows kernel, which provides userspace programs with a simple network adapter for reading and writing packets. It is akin to Linux's /dev/net/tun and BSD's /dev/tun.
• WireGuard for Kubernetes: Introducing Gravitational Wormhole — Wormhole is a Kubernetes network plugin that combines the simplicity of flannel with encrypted networking from WireGuard.
• gravitational/wormhole: Wireguard based overlay network CNI plugin for kubernetes
• NetworkManager 1.16 — NetworkManager 1.16 is a big feature release bringing support for WireGuard VPN tunnels
• Portal Cloud - Subspace — Subspace is an open source WireGuard® VPN server that supports connecting all of your devices to help secure your internet access.
• subspacecloud/subspace — A simple WireGuard VPN server GUI
• jimsalterjrs/wg-admin — Simple CLI utilities to manage a WireGuard server
• 5 big misconceptions about virtual LANs — In the real world, VLANs are anything but simple.
• High Availability vs. Fault Tolerance vs. Disaster Recovery — You need IT infrastructure that you can count on even when you run into the rare network outage, equipment failure, or power issue. When your systems run into trouble, that’s where one or more of the three primary availability strategies will come into play: high availability, fault tolerance, and/or disaster recovery.
• High Availability: Concepts and Theory — Running server operations using clusters of either physical or virtual computers is all about improving both reliability and performance over and above what you could expect from a single, high-powered server.
• RPO and RTO: Understanding the Differences — Recovery time objective refers to how much time an application can be down without causing significant damage to the business. Recovery point objectives refer to your company’s loss tolerance: the amount of data that can be lost before significant harm to the business occurs.
• JupiterBroadcasting/Talks — Public repository of crew talks, slides, and additional resources.
• Command Line Threat Hunting — That viruses and malware are Windows problems is a misnomer that is often propagated through the Linux community and it's an easy one to believe until you start noticing strange behavior on your system. What do you do next? Join Ell Marquez and Tony Lambert in discussing a common sense approach to threat detection using only command line tools.
• Fear the Man in the Middle? This company wants to sell quantum key distribution — For now, Quantum XChange has only said about a dozen companies are part of the pilot. But with the appetite for quantum solutions in the US increasing—the National Quantum Initiative was just signed into law at the end of 2018 to advance the tech—this could be an opportune time to enter the market, so long as the service lives up to its billing.

Plus the biggest stories out of Kubecon, and serverless gets serious.

Links:

• Everything that was announced at KubeCon
• CNCF to Host etcd — The Cloud Native Computing Foundation Technical Oversight Committee voted to accept etcd as an incubation-level hosted project.
• Introduction to Knative — Knative is a framework from the folks at Google and Pivotal focused on “serverless” style event driven functions.
• IBM Embraces Knative to Drive Serverless Standardization — Knative is not the first open-source functions-as-a-service effort that IBM has backed. Back in 2016, IBM announced the OpenWhisk effort, which is now run as an open-source project at the Apache Software Found.
• How Google Is Improving Kubernetes Container Security — "We go beyond what's in open source and put additional restrictions in place to secure users"
• Demystifying Kubernetes CVE-2018-1002105 — With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection.
• The silent CVE in the heart of Kubernetes apiserver
• Crossplane: An Open Source Multicloud Control Plane
• security.christmas — This year we will prepare you for the Christmas celebration, by giving you small presents of knowledge every day, which will teach you about the world of security.
• Introducing the Helm Hub — This hub provides a means for you to find charts hosted in many distributed repositories hosted by numerous people and organizations.

Plus a few warm up stories, a war story, and more.

Special Guest: Amy Marrich.

Links:

• James Stanley - Someone used my IPFS gateway for phishing
• Scaling Engineering Teams via Writing Things Down and Sharing — I have recently been talking at small and mid-size companies, sharing engineering best practices I see us use at Uber, which I would recommend any tech company adopt as they are growing. The one topic that gets both the most raised eyebrows, as well the most "aha!" moments is the one on how the planning process for engineering has worked since the early years of Uber.
• Say hello to Kata Containers — Kata Containers bridges the gap between traditional VM security and the lightweight benefits of traditional Linux containers.
• Disappearing videos and disappointed grandmothers — Here's another story about broken things with some of the details changed just a little. If it sounds familiar, it's probably because your company also did it at some point.

Plus how Google hopes Roughtime will solve one of the web’s biggest problems, some great emails, and more!

Special Guest: Matt Ulasien.

Links:

• Cloudflare Embraces Google Roughtime, Giving Internet Security a Boost — The internet infrastructure firm Cloudflare will now support a free timekeeping protocol known as Roughtime, which helps synchronize the internet's clocks and validate timestamps.
• Roughtime: Securing Time with Digital Signatures — Roughtime lacks the precision of NTP, but aims to be accurate enough for cryptographic applications, and since the responses are authenticated, man-in-the-middle attacks aren’t possible
• Google Cloud rolls out security feature for container images — All container images built using Cloud Build, Google's fully-managed CI/CD platform, will now be automatically scanned for OS package vulnerabilities
• Tweets by Matthew Ulasien (@mulasien)
• Google Cloud Weekly | 10.03.2018
• Matthew Ulasien - Quora
• Google Certified Professional Cloud Architect
• Feedback: Can't Even Google This One!
• Feedback: The Button Pusher Problem
• Feedback: Can I monitor that?
• Pingdom
• Site24x7
• prometheus/blackbox_exporter: Blackbox prober exporter
• Kubernetes the Hard Way - Course
• How do Kubernetes Deployments work? An adversarial perspective. — What is happening when a Deployment rolls out a change to your app? What does it actually do when a Pod crashes or is killed? What happens when a Pod is re-labled so that it's not targeted by the Deployment?
• Kubernetes: The Surprisingly Affordable Platform for Personal Projects — I think that Kubernetes makes sense for small projects and you can have your own Kubernetes cluster today for as little as $5 a month.
• Kubernetes for personal projects? No thanks! — I have read multiple times this article about running Kubernetes to run small projects and thought I could share why I think that might not be a great idea.
• KubeDirector: The easy way to run complex stateful applications on Kubernetes — KubeDirector is an open source project designed to make it easy to run complex stateful scale-out application clusters on Kubernetes.
• Kubernetes On Bare Metal — This guide will take you from nothing to a 2 node cluster, automatic SSL for deployed apps, a custom PVC/PV storage class using NFS, and a private docker registry.
• Introducing DigitalOcean Kubernetes in Limited Availability

Plus the privacy improvements that could be coming to HTTPS, and a new SSH auditing tool hits the open source scene.

Special Guest: Will Boyd.

Links:

• Open Sourcing HASSH — HASSH is a network fingerprinting standard invented within the Detection Cloud team at Salesforce.
• ESNI: A Privacy-Protecting Upgrade to HTTPS — Today, Cloudflare is announcing a major step toward closing this privacy hole and enhancing the privacy protections that HTTPS offers. Cloudflare has proposed a technical standard for encrypted SNI, or “ESNI,” which can hide the identities of the sites you visit—particularly when a large number of sites are hosted on a single set of IP addresses
• What's new in Kubernetes 1.12?
• Kubernetes the Hard Way — Kubernetes The Hard Way guides you through bootstrapping a highly available Kubernetes cluster with end-to-end encryption between components and RBAC authentication.
• Install Minikube
• Creating a single master cluster with kubeadm
• 10 open-source Kubernetes tools for highly effective SRE and Ops Teams
• Clonezilla — Clonezilla is a partition and disk imaging/cloning program similar to True Image or Norton Ghost.

Plus a clear break down of the recent Kubernetes news, how a 40 year old tel-co protocol is being abused today, and a Git vulnerability you should know about.

Sponsored By:

• Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
• iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
• Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

• Hiding Information in Plain Text - IEEE Spectrum
• Remediating the May 2018 Git Security Vulnerability – Microsoft DevOps Blog
• When to use git subtree? - Stack Overflow
• Ghostery Email Incident Update - Ghostery
• Surprise! Student receives $36,000 Google bug bounty for RCE flaw – Naked Security
• SS7 routing-protocol breach of US cellular carrier exposed customer data | Ars Technica
• SnoopSnitch - Apps on Google Play
• Kubernetes Containerd Integration Goes GA - Kubernetes
• Hackers infect 500,000 consumer routers all over the world with malware | Ars Technica
• FBI seizes domain Russia allegedly used to infect 500,000 consumer routers | Ars Technica
• Singapore ISP Leaves 1,000 Routers Open to Attack | Threatpost | The first stop for security news
• Don't let Frank near the server
• Dave decides to move some plugs...

Plus things to consider when deciding on-premises vs a cloud deployment, and the all business gadget from 1971 that kicked off the consumer electronics revolution.

Links:

• The HP-35 — Consumer Electronics, an Origin Story
• The people cost of building out a Kubernetes cluster on-prem | Operos
• EFAIL — EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails.
• efail-attack-paper.pdf
• GnuPG Efail press release Response
• No, PGP is not broken, not even with the Efail vulnerabilities - ProtonMail Blog — Recently, news broke about potential vulnerabilities in PGP, dubbed Efail. However, despite reports to the contrary, PGP is not actually broken, as we will explain in this post.
• Eric's War Story is VERY Familiar
• When it rains it pours for Steve
• Critical Cisco WebEx Bug Allows Remote Code Execution
• Cisco WebEx and 3rd Party Support Utilities

Plus how you can store files in others DNS resolver cache, Project Zero finds a new BitTorrent client flaw, and more.

Sponsored By:

• Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
• iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
• Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean

Links:

• DNSFS. Store your files in others DNS resolver caches — The DNSFS code is a relatively simple system, every file uploaded is split into 180 byte chunks, and those chunks are “set” inside caches by querying the DNSFS node via the public resolver for a TXT record. After a few seconds the data is removed from DNSFS memory and the data is no longer on the client computer.
• BPF - the forgotten bytecode — BPF is an absolutely marvelous and flexible way of filtering packets.
• dnsfs: Store your data in others DNS revolvers cache — Store your data in others DNS revolvers cache
• Unauthenticated LAN remote code execution in AsusWRT — However due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user.
• AI is moving towards acceptance in cyber security, says Check Point — Artificial intelligence is well on its way to being a useful tool in the cyber security professional’s kit, but according to Check Point, there are still big challenges to overcome.
• Alphabet is launching a new CyberSecurity unit. — Alphabet, the parent company of Google, announced today that they will be launching Chronicle, a new business unit that will focus on Cyber Security, using their servers and infrastructure. The new organization hopes to focus on machine learning and artificial intelligence to assist in the fight against cybercrime moving forward.
• Google Project Zero claims new BitTorrent flaw could enable cyber crooks get into users' PCs — According to Project Zero, the client is vulnerable to a DNS re-binding attack that effectively tricks the PC into accepting requests via port 9091 from malicious websites that it would (and should) ordinarly ignore. 
• CVE-2018-5702: Mitigate dns rebinding attacks against daemon by taviso · Pull Request #468
• Blizzard Fixes DNS Rebinding Flaw that Put All the Company's Users at Risk
• What is DNS rebinding, in layman's terms?
• An Introduction to Kubernetes — Kubernetes, at its basic level, is a system for managing containerized applications across a cluster of nodes. In many ways, Kubernetes was designed to address the disconnect between the way that modern, clustered infrastructure is designed, and some of the assumptions that most applications and services have about their environments.
• What is Kubernetes? — Kubernetes was originally developed and designed by engineers at Google. Google was one of the early contributors to Linux container technology and has talked publicly about how everything at Google runs in containers. (This is the technology behind Google’s cloud services.) Google generates more than 2 billion container deployments a week—all powered by an internal platform: Borg. Borg was the predecessor to Kubernetes and the lessons learned from developing Borg over the years became the primary influence behind much of the Kubernetes technology.
• Scaling Kubernetes to 2,500 Nodes — We’ve been running Kubernetes for deep learning research for over two years. While our largest-scale workloads manage bare cloud VMs directly, Kubernetes provides a fast iteration cycle, reasonable scalability, and a lack of boilerplate which makes it ideal for most of our experiments.
• Feedback: Talk more about Windows — I listened to your intro to change management and it seemed like it will be very Linux centric ("everything is she"). I'm future segments, please try to include windows desktop and server OS as well.
• Question: Starting with Ansible Quick — Are there any way to get started other than writing a playbook and trying it out with trial and error?
• Ansible Best Practises: A project structure that outlines some best practises of how to use ansible — A project structure that outlines some best practises of how to use ansible
• ansible-console: An Interactive REPL for Ansible — omething found out recently is that Ansible has an interactive REPL of sorts in ansible-console for doing some adhoc things on a collection of hosts.
• Introduction To Ad-Hoc Commands — Ansible Documentation — An ad-hoc command is something that you might type in to do something really quick, but don’t want to save for later.
• About the security content of macOS High Sierra 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan - Apple Support — This document describes the security content of macOS High Sierra 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan.