Rubenerd

It’s Music Monday! I missed last week, gomen. I’ve decided to mix things up a bit and make these weekly features not just about music I love, but songs I might still be thinking about.

I wasn’t that into Corinne Bailey Rae’s “Put Your Records On”. It’s fine, but it irks me when singers change registers to repeat a chorus or verse. My dearly departed late mother, herself a fabulous musician an artist, said songwriters use it as a crutch, presumably when they have a Spandau Ballet moment and find it hard to write the next line.

(OneRepublic’s “Counting Stars” is a another egregous example, but they pile on the cringe by doing in falsetto. I thought they were better than that!)

I vaguely remember hearing this song everywhere when I moved back to Sydney, but it’s enjoying a resurgence. I’ve been hearing it again in coffee shops, on the radio in cabs, and through the headphones of train commuters pressed against me in the morning peak.

I’d assumed it was from the late 1990s based on its musical style. I lack sufficient musical vocabulary to articulate why it sounds like that, but take a listen and see if you agree. Regardless, I ran Shazam after hearing it for the third time today, and it came out in 2006. I would not have guessed that at all!

I’m also warming to it it a bit. We need all the warmth, optimism, and smiles we can get in 2018. Though I’d say this beautiful electronica tune still has it beat!

The Overnightscape Central is a fun weekly podcast hosted by the illustrious PQ Ribber. Hosts and listeners of The Overnightscape Underground participate in a topic each week, and you’re welcome to join.

03:22:28 – Experimental scrambled format with Dave in Kentucky, Rubenerd, Doc Sleaze, Chad Bowers, Brazen Gestures, and Frank Edward Nora!! PQ Ribber is your host and chopper-upper!!

You can view this episode on the Underground, listen to it here, and subscribe with this feed in your podcast client.

Simon Sharwood has done an excellent job reporting on the onerous new backdoor laws being debated in Australia. For those who haven’t seen them, this is how he opened his most recent report:

As iTnews readers will by now appreciate, the Bill suggests powers to compel technology companies to provide access to data their products and services manage or transmit, but has been met with criticism such access is not possible without introducing systemic weaknesss.

To put it midly. Now a government and private body are soliciting feedback:

While mindful of that criticism, The [Australian Strategic Policy Institute] and [The Australian Cyber Security Growth Network] have not taken a position opposing the bill but are interested to learn how industry feels it could impact their prospects.

While AustCyber is government-funded, Chief of Strategy Belinda Newham told iTnews she sees the survey as in line with its mission to grow a local cyber-security industry.

Life isn’t often black and white, but industry feels you’ll destroy them. Pass this bill, and you won’t have a local cyber-security industry.

It’s amazing how cyclical and bipartisan this nonsense is. A decade ago I dedicated much of my blog to exposing the then-government’s plan for mandatory internet filtering. Back in 2008:

The problem is, such an abysmal result will not deter Senator Conroy or his vocal minority (minority… minority… minority…) of supporters because their belief that such a system is useful and practical isn’t rooted in facts, figures or even common sense, but rather in an unfounded idea that what they’re doing is right and that everyone else is wrong, regardless. As with other adherents to similar ideologies that utilise such reasoning, they’re incredibly hard to talk rationally to because they already have their conclusion before they have their facts.

The same can be said of people who want cryptographic back doors, or to tap communications. There is no mathemathical way to do this without seriously compromising security.

That internet filter was defeated, but I fear this latest bill would be far worse if passed.

I owe a significant proportion of my livelihood and personal life to OpenSSH. You likely do too, perhaps without even knowing it. It makes me think where more donation dollars should be going.

RSA keys are still the default, and 2048 bits are still considered sufficient according to the manpage. This is still true, but I use 4096 now given they doesn’t take that much longer on modern hardware to generate and verify:

$ ssh-keygen -t rsa -b 4096

But since 2017 I’ve been defaulting to ed25519, which has a fixed key length:

$ ssh-keygen -t ed25519

These are generated much quicker, but the real advantage is the keylength itself. My 4096 bit RSA keys private keys are ~3.2 Kb in size, but my ed25519 ones are 464 bytes, six times smaller.

This doesn’t sound all that significant, until you see an example publuc key:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMT6zUImsLj7b5xmHJnqflB9pg5rnnXFZlYHUQVxhAFd

At that size, we’re getting into memorisation territory. Trying to bootstrap a new machine, or forgot to bring your keychain? No problem! I say getting into, because my memory is awful enough not to make it feasible. But I could see a sufficiently motivated person doing it.

As an aside, the ASCII art for that throwaway key was also oddly interesting. My blearly morning eyes saw a double helix, but all I can see now is an airline seat.

+--[ED25519 256]--+
| +o..E.          |
| oo  . .         |
|. . . .    .     |
| . . .. ..+ o    |
|.   =. .SO B .   |
|.  . =.o=.+ +    |
| .o = +.o o.     |
|.o+= + ... +..   |
| ++o. ..  .o=    |

location: sydney

North Sydney workers and residents have been dealing with road works for a while. The stretch of Pacific Highway near the post office and Vodafone buildings had deep excavation pits for what seemed like months. I saw equal parts plumbers and fibre engineers; I guess they were killing two birds with one phone.

But the largest works that have been ongoing since Clara and I moved here two years ago have been the footpaths. The irregular, terraced sandstone everywhere in the suburb is slowly being jackhammered and replaced with uniform blocks. Right now they’re working just outside Greenwood Plaza.

The photo below shows some of the work. Ignore the plain tiles to the bottom-left, that was part of the building behind.

Why are they doing this? The old footpaths were entirely functional, and were already asethetically appealing. The new tiles aren’t any more attractive; if anything their regular shape is boring by comparison.

The only reason I can fathom is the irregular pattern rendered it bumpier for wheelchair users. But even then, the council were able to grind the previous surface smooth when they were removing graffiti; and I’ll bet it took less effort than removing and resurfacing everything from scratch.

The whole thing is weird.

Every industry has its own parlance, but IT has the additional complexity of using the same word for multiple things. Take this shipping location or a sweet alcoholic beverage:

• Physical connectors, such as an AT port
• Network communication end points, at each OSI level
• Ported software between different OSs or hardware

And to the latter we have:

• Ports between operating systems, such as FreeBSD ports
• Ports between architectures, such as NetBSD
• Ports more accurately referred to as rewrites

I had a dream that I was at a conference discussing disambiguations for various IT terms. They decided physical connectors would be plugs, networks would get an acronym or abbreviation given their predilection for those, and software would refer to different builds. None of which are ideal.

It’s almost as if a conference shouldn’t be left to a sleep deprived solutions architect late at night.

FreeBSD has newfs for baking UFS volumes, with a handy newfs_msdos shortcut for formatting FAT. mkfs has equivalent shortcuts on Linux for the file systems it supports, as shown by the following tab completion on Debian Stretch:

# mkfs<TAB>  
==> mkfs      mkfs.cramfs  mkfs.ext3  mkfs.minix
==> mkfs.bfs  mkfs.ext2    mkfs.ext4

Minix, that’s so cool! But what if we want xfs?

# apt-get install xfsprogs

Or for those who really know what they’re doing:

- name: "Install xfs tooling"
  apt:
    name: xfsprogs
    state: latest
    update_cache: yes

And now we can bake a new xfs volume:

# whereis mkfs.xfs
==> /sbin/mkfs.xfs

Clara and I both played the Fate/Grand Order Christmas event in the English version of the mobile game last year, but the repeat was even more fun this time on account of having more servents and experience.

I don’t know what was more surreal, having Altria Pendragon Archer battling a candy cane sword wielding evil reindeer with her glowing water pistol. Or receving life advice from Saber Alter who’s somehow Santa again, beacuse of course she is.

But Martha got what she wanted. Careful with that craft essence, it’s ripped.

I knew the RMS initials were common as muck, but there were even more than I expected. Ones I knew already:

• My own name!
• Richard (Matthew) Stallman
• Royal Mail Ship, such as RMS Lusitania
• Roads and Maritime Services, in New South Wales
• Root mean square, used in electric current
• Record management systems

And according to Wikipedia:

• Rights Managament Services in Windows Server 2003

I was able to steal away some work time and go to the Red Hat Forum 2018 in Sydney. Even for a FreeBSD guy these conferences always have great talks. Conveniently, my two favourites were back to back in the same hall this year.

The Multicloud

Juniper’s Brian Hutson talked on the advantages and necessity of multicloud infrastructure. Think of it as hybrid cloud, but with multiple IaaS vendors thrown into the mix, like OrionVM and AWS; or heaven forbid, those other ones.

Some of his key talking points on multicloud:

• ~85% of enterprises see it as an ideal
• The best of all worlds for features
• Redundancy in the event one goes down

But that it introduces potential security pain points:

• Explosion of policies to govern each type of workload
• A degree of application traffic opacity: what’s going on?
• Operational complexity: how does it all work?
• Lateral threats at scale: microsegmentation
• Incident response is still largely a manual process
• Budget

Naturally Junpier had an answer in the form of Contrail Enterprised Mulicloud and OpenContrail, which I can’t speak for and haven’t used. But the points he raised were interesting, and speak to concerns I deal with clients about. The key seems to be visibility, however you achieve that.

Ansible at Scale

But my favourite talk was Richard Hailstorm’s presentation on Ansible at Scale. It was a very different venue from the cozy Tokyo University of Science when Benedict Reuschling did his Ansible workshops at AsiaBSDCon!

Before getting into the technical aspects, I appreciated Richard’s emphasis on the human element to scaling automation. With the tech there’s the culture, people, and processes that govern how effective a system operates. And the key is engage with security teams early.

I think we all learned Ansible hacking away on our laptops, and most of my playbooks operate as such. He commented this was fine, but for large projects with multiple contributers it can lead to Spaghetti Ansible which he admitted sounded tastier than it is.

Richard made the case for Ansible Tower by highlighting shortcomings with that approach, but it could equally apply for well structured playbooks and roles in version control. So I was keen to hear his best practices and recommendations for larger scale Ansible:

• Git and Ansible, like much of open source, is open to how you want to use it. The key is to build a consistent structure that works for your specific needs.

• Put variables in group_vars/ instead of inventory. It keeps things clean, and Ansible Tower can interface with it if you end up deciding to use it.

• Keep your configuration and inventories local to the folder, not in /etc/ansible, for portability.

• Set your .gitignore to only include requirements.yml in roles/. At scale, roles should be farmed out to their own repos that can be version controlled, tested, and improved by different teams.

• Use the usual Git branches and pull requests when working on larger projects, such as Master, Testing, and Prod. This was called out specifically because Tower lets you choose a specific branch as a base for a project.

From his slide, this was his recommended repository structure that’s pretty straight forward if you’ve used Ansible before.

ansible
 ├─── group_vars
 │     ├─── all.yml
 │     ├─── dev.yml
 │     ├─── prod.yml
 │     └─── web.yml
 ├─── inventory
 ├─── library
 ├─── rolls
 │     └─── requirements.yml
 ├─── .gitignore
 ├─── ansible.cfg
 ├─── deploy.yml
 └─── update.yml

I also asked him and his team back at the booth some more questions:

• They said you can technically merge your deployment and update scripts given Ansible is idempotent, but that it’s recommended to have update scripts separate for performance and clarity.

• And yes, I was allowed to take stickers, hats, and other schwag. I now have a Red Red Hat Hat. I got one of the engineers to admit the logo may be changing soon, so it may soon be a collector’s item.

Thanks everyone at the event for putting on a good show.