Same sort of deal as the previous post. Let’s say you are trying to understand why you are getting a 404 when you access a host from within a container, but not from outside. So you help yourself to a little bash-fu:

exec 3<>/dev/tcp/
echo -e "GET /ubuntu/dists/bionic-security/InRelease HTTP/1.1\r\nhost:\r\n\r\n" >&3
cat <&3

You run it, and it says:

HTTP/1.1 404 Not Found
date: Sun, 30 Sep 2018 21:22:22 GMT
server: envoy
content-length: 0

hmm.  Envoy. I’m missing an egress rule in Istio!

This strategy of using the tools that exist is sometimes called ‘living off the land‘ in the cyber-security space. The anti-virus won’t catch you since you are not installing anything, merely using what is there differently.

Didn’t think someone could exfiltrate data from your system because it doesn’t have perl & curl? Think again bash fans!

We’ve all been there. You are curious what container-A resolves container-B to. But, since you believe in security, you have carefully made sure container-A is as close to ‘distroless‘ as possible. You’ve made the filesystem read-only, no privilege is present, and no tools.

You now come along later, run ‘kubectl exec -it … sh’. And then you curse past-you for those short-sighted security descisions! How can you find out what it thinks the IP of container-B is without recompiling?

Well, here’s a tip for you. ‘getent’ is part of libc.

# dpkg -S /usr/bin/getent 
libc-bin: /usr/bin/getent

This means you can simply run:

getent hosts rabbitmq-7c5fbf778d-mrqmt

and it will tell you how it resolves. Magic! No need to install dig/hosts/nslookup. No need to try and write a DNS packet with bash and use /dev/udp.

root@rabbitmq-7c5fbf778d-mrqmt:/$ apt-get update
E: List directory /var/lib/apt/lists/partial is missing. - Acquire (30: Read-only file system)
E: Could not open lock file /var/lib/dpkg/lock - open (2: No such file or directory)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?
root@rabbitmq-7c5fbf778d-mrqmt:/$ host front-end-74698f5fc7-zxfzb
bash: host: command not found
root@rabbitmq-7c5fbf778d-mrqmt:/$ nslookup front-end-74698f5fc7-zxfzb
bash: nslookup: command not found
root@rabbitmq-7c5fbf778d-mrqmt:/$ dig front-end-74698f5fc7-zxfzb
bash: dig: command not found
root@rabbitmq-7c5fbf778d-mrqmt:/$ getent hosts front-end-74698f5fc7-zxfzb front-end-74698f5fc7-zxfzb

Lasers. Once thousands of dollars, now cat’s toys from the dollar store. What a time we live in. And now they are on my bike. I purchased the Ampulla C1, it gives you rear-light, turn lights, brake lights, and laser-lines on the road to encourage traffic to give you some space.

Now, the lasers are not incredibly bright, so during daylight they are useless. But, here you can see a picture in my garage, its reasonably bright in there and they still show, so I’m optimistic for the full-on dark.

The unit has an 18650 battery in it, and charges via micro-usb. A hack for another day is to drive it off the main battery. It also comes with a handle-bar mounted remote-control which is wireless.

Will it save my life? If I’m still alive next week the answer was yes!

So I’m finding it very hard to see these days. Its not getting better, and its very demoralising. Carpet bombing my life with reading glasses has helped, as has large fonts, bright lighting, high contrast, and large displays.  But even still its not enough.

Screen magnifiers are a bit of a pain to use. Tools like ‘kmag’ put a window in the lower left, and as you move the mouse it shows a larger version of what’s under it. But you lose the context. Continuing to magnify the screen or change font-size is counter-productive since you can’t get enough information on the screen. So what to do?

Well, lets try this. In your ~/.xbindkeysrc file, add these two lines:

"qdbus org.kde.kglobalaccel /component/kwin invokeShortcut view_zoom_in"
    alt + b:4
"qdbus org.kde.kglobalaccel /component/kwin invokeShortcut view_zoom_out"
    alt + b:5

And then restart xbindkeys. So what does this do? Well, when I press ‘alt’ and scroll (either with the scroll-wheel or the touchpad), the scroll is converted into a zoom up/down. When zoomed-up pan is activated, so if i move the mouse right or left, it follows the zoom. You can see in the video.

Is it enough? No, but my robot eyes were accidentally sent to Steve Austin some years ago so it will have to do.

Yesterday was the AGM for the Canadian Internet Registry (CIRA). And coincident with that, the voting for the next slate of board of directors started. I am running for a board member, and would appreciate your vote. If you have a .ca domain name, you are a member. You had to be a member by Sept 6 (21 days prior) to vote. The vote link is here.

Now, on going to that link, many of you will be presented with an SSL error. This is not good. It is using a distrusted certificate authority (and no CAA record!). Tsk tsk. I posted about this on the discussion board here, feel free to chip in with your $0.02.

And get out and vote you .ca’ers.

And for gosh sakes, check that your own sites are:

  • SSL-enabled
  • SSL-only (30x redirect from the non-ssl-name, e.g. http://foo moves you to https://foo)
  • Have HSTS enabled, with long duration
  • Have a CAA record
  • Use SHA256 not SHA1
  • Have valid trusted certificate