Angelesen #65

And another week in the books – Lots of things going currently and I wanted to finish one of my other blogposts but that didn’t make it past draft stage yet. I might try to join the #100DaysToOffload challenge at some point. This week a lot of EOLed Software (bye Flash 👋), AWS Snowbal Edge Computing and the occasional security topics (hint it’s about QR-Codes) – enjoy.

endoflife.date (endoflife.date)

This site maintains quick links for checking End Of Life dates for various tools and technologies.

Always a good resource if you need to get the EOL date of a particular software quickly.

Adobe Flash Player End of Life (adobe.com)

As previously announced in July 2017, Adobe will stop distributing and updating Flash Player after December 31, 2020 (“EOL Date”).

Flash is a thing of the past. And the distribution of it will stop end of the year 🎉

Introducing AWS Snowcone – A Small, Lightweight, Rugged, Secure Edge Computing, Edge Storage, and Data Transfer Device (aws.amazon.com)

The title is already a mouth full – but carry on:

Like other Snow Family devices, Snowcone includes an E Ink shipping label designed to ensure the device is automatically sent to the correct AWS facility and to aid in tracking. It also includes 2 CPUs, 4 GB of memory, wired or wireless access, and USB-C power using a cord or the optional battery. There’s enough compute power for you to launch EC2 instances and to use AWS IoT Greengrass.

The usecases for having the possibility to ship a tiny bit of compute (or in case of a Snowball Edge a bit more of compute) to any location is an interesting case

Also that AWS announced the Snowball Edge Updates around a month ago:

The newest Snowball Edge Storage Optimized devices feature 40 vCPUs and 80 GB of memory, up from 24 and 48, respectively. The processor now runs at 3.2 GHz, allowing you to launch more powerful EC2 instances that can handle your preprocessing and analytics workloads even better than before. In addition to the 80 TB of storage for data processing and data transfer workloads, there’s now 1 TB of SATA SSD storage that is accessible to the EC2 instances that you launch on the device. The improved data transfer speed that I mentioned earlier is made possible by a new 100 Gigabit QSFP28 network adapter.

That’s a looot of compute for this box 🙂

Turn on MFA Before Crooks Do It For You (krebsonsecurity.com)

But people who don’t take advantage of these added safeguards [2FA] may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control. Here’s the story of one such incident.

That hurts if you get locked out someone else enabling MFA for you.

100 Days To Offload (100daystooffload.com)

#100DaysToOffload is a simple concept that Kev Quirk thought of one day. The rationale behind the whole thing is to challenge people to publish 100 posts on their personal blog in a year. That’s approximately 1 post every 3.5 days.

This is a great initiative, not sure if I can keep up with that but there would be a few things I’d like to write about. I saw this initiative first over Mastodon where I’ve found a few great articles last week.

Swiss QR Code Invoices for Phun and Profit (blog.compass-security.com)

The QR code invoice aims to reduce the four types into one handy “Swiss QR Code” Invoice which would allow the use of existing and maintained technology (like the ZXing library) to read the code. This way, users can scan it with their smartphone (even without E-Banking App) and see the contents of it. It also means that developers do not need to handle different types of “ESR” codes, thus making development easier or at least more maintainable.

But is this solution reliable and secure?

Not sure if a QR Code is the best way to go…

Intel + ARM Performance Characteristics for S3 Compatible Object Storage (blog.min.io)

Let us start by saying that, for all practical purposes, both the Intel and ARM platforms provide plenty of computational power to saturate even the fastest networking speeds and NVMe drives. So in that sense both are perfectly capable of fulfilling the highest performance demands placed upon MinIO’s object storage server.

Having said that, what is clear is that the ARM architecture, with the introduction of the Graviton2 processor by AWS, has closed the performance gap to Intel and even surpassed it for multi-core performance.

ARM is everywhere 🙂 And most likely the future – Back to RISC!

Helium shortage has ended, at least for now (physicstoday.scitation.org)

As demand for party balloons—which account for 10% or more of total helium use, according to market consultant Phil Kornbluth—disappeared in March, and as industrial demand slowed in concert with shelter-in-place orders, the global helium supply crunch of the past two years abruptly ended. “It was like somebody flipped a light switch. It went from shortage to an ample supply within a month,” says Kornbluth. The current supply situation, he says, is “between ample and plentiful.”

We all heard about the issues around Oil, but would never have thought that Helium sees similar dynamics.

Ebay is port scanning visitors to their website – and they aren’t the only ones (blog.nem.ec)

To summarize what we’ve found so far:

  • Ebay collects data on whether certain ports are open on your local PC
  • This data is shipped to an Ebay domain, but does not seem to be used otherwise
  • Additional data like User Agent and IP are also sent

First I thought that it’s "just" a little portscanning, but:

It’s not just Ebay scanning your ports, there is allegedly a network of 30,000 websites out there all working for the common aim of harvesting open ports, collecting IP addresses, and User Agents in an attempt to track users all across the web. And this isn’t some rogue team within Ebay setting out to skirt the law, you can bet that LexisNexis lawyers have thoroughly covered their bases when extending this service to their customers (at least in the U.S.).

Technically you can create another fingerprint to track people later with open ports and metrics you can gather via the portscan.

Angelesen #64

The hiatus is real – There were so many articles piled up in the stack that I decided to restart from scratch and just pick a few that I ran into the past few weeks. From bash-scripts to AWS EC2 Spot instances to the usual surveillance topics. Enjoy

Take care editing bash scripts (thomask.sdf.org)

So be careful running editing a bash script that may be currently executing. It could execute an invalid command, or do something very surprising.

If you ever wondered, what happens when you edit a file of a running bash script – tldr – DONT!

The definitive guide to running EC2 Spot Instances as Kubernetes worker nodes (itnext.io)

The title gives it away: a very good and complete primer on running EC2 Spot instances as K8s worker nodes 🙂

Why is Kubernetes getting so popular? (stackoverflow.blog)

A good high level primer why Kubernetes is so popular these days.

Coming from the world of Puppet and Chef, one of the big shifts with Kubernetes has been the move from infrastructure as code towards infrastructure as data—specifically, as YAML. All the resources in Kubernetes that include Pods, Configurations, Deployments, Volumes, etc., can simply be expressed in a YAML file.

Infrastructure as Code – FTW!

One of the main challenges developers face in the future is how to focus more on the details of the code rather than the infrastructure where that code runs on.

Guess what my dayjob is… 😉

Zoom-Müdigkeit: Wieso Videochats so anstrengend sind (nzz.ch)

Sprechen wir online miteinander, versuchen wir die fehlenden Reize zu ergänzen und zu kompensieren. «Wir investieren in Videokonferenzen viel mentale Energie, um fehlende soziale Hinweisreize herzuleiten. Wir sind – teilweise unbewusst – ständig am Ergänzen und Interpretieren dieser sozialen Situation. Gleichzeitig verarbeiten wir das Gesagte und erhalten ja den Dialog aufrecht. Unsere kognitiven Kapazitäten, all dies gleichzeitig zu tun, sind begrenzt. Das strengt uns an – und macht uns müde», sagt Zahn.

The Quick and Dirty Tear Gas Primer (blog.totallynotmalware.net)

Because tear gas is a commonly-used dispersal tactic all around the world, here is a primer containing all the basic information you need to deal with it before, during, and after exposure.

Handy hints for – who knows when…

How we reduced the AWS costs of our streaming data pipeline by 67% (taloflow.ai)

A good overview how to rethink large infrastructures to run more cost efficient on AWS

Slack partners with Amazon to take on Microsoft Teams (theverge.com)

Slack is partnering with Amazon in a multiyear agreement that means all Amazon employees will be able to start using Slack. The deal comes just as Slack faces increased competition from Microsoft Teams, and it will also see Slack migrate its voice and video calling features over to Amazon’s Chime platform alongside a broader adoption of Amazon Web Services (AWS).

tl;dr: Slack is switching to Amazon Chime for voice and video calling

De-escalation Keeps Protesters And Police Safer. Departments Respond With Force Anyway. (fivethirtyeight.com)

One thing they will tell you is that when the police respond by escalating force — wearing riot gear from the start, or using tear gas on protesters — it doesn’t work. In fact, disproportionate police force is one of the things that can make a peaceful protest not so peaceful. But if we know that (and have known that for decades), why are police still doing it?

This article goes deep into studies around using force against demonstrations

Experts say the following decades of research have turned up similar findings. Escalating force by police leads to more violence, not less. It tends to create feedback loops, where protesters escalate against police, police escalate even further, and both sides become increasingly angry and afraid.

De-Escalation would be key…

We Chat, They Watch: How International Users Unwittingly Build up WeChat’s Chinese Censorship Apparatus (citizenlab.ca)

We found that documents and images that were transmitted entirely among non-China-registered accounts were analyzed for Chinese political sensitivity. Upon analysis, files deemed politically sensitive were used to invisibly train and build up WeChat’s Chinese political censorship system. We also conducted analysis of WeChat’s public-facing policy documents, made data access requests, and engaged with Tencent data protection representatives to assess whether those methods could also explain, or uncover, the content surveillance carried out towards international users’ communications. We found that none of the information WeChat makes available to users explains the rationales for such surveillance or the transmission of content hashes from WeChat International to WeChat China.

It’s a long read but a really good one if you want to learn more on how We Chat builds a huge censorship apparatus.

Stay-home Diaries

So obviously most of the countries suggest or force their citizens to stay home. Not a hugely big change from my side as I work from home regularly – but it’s pretty interesting when work from home (WFH) is forced upon a lot of people.

Notable things

  • All windows were cleaned after 48 hours after starting to work from home full-time
  • Fixed my bike (finally!)
  • Improvised a standing Desk after 3 Days – To get moving around sometimes
  • We cook a lot!
  • We also bake a lot of bread – Don’t underestimate a good fresh bread
  • Good Internet matters (always)
  • A shift in “what’s considered normal” e.g. seeing an advert where people stand in a crowd feels like from a distant past
  • An interest in Gardening – Let’s see where that leads to.
  • Getting to know our Neighbours and sharing food or even baking a loaf of bread too much and passing it on.
  • The first week where the majority of the population was forced to work from home were not really productive as everyone started to communicate on any channels and ask for best practices on video conferencing stuff and how to use chat
  • Limiting media usage is key – see Screentime
  • Taking breaks and enforcing lunchtime is needed – it’s too easy to just work through it – Thinking about getting back and trying out the Pomodoro technique again.
  • Good Media Outlets like Public Broadcasting (e.g. SRFSwissinfo) or Republik are priceless
  • Good Podcasts as well e.g. NDR Coronavirus-Update mit Christian Drosten
  • After 10-14 days I stopped paying attention to the concepts of weekdays

Currently, I’m into this somewhere around 37 days. And I originally started typing this list 17 Days ago… so there will be a followup.

Angelesen #63

A lot has been written in the past about static websites but the past few weeks showed this pretty clearly – the web needs to adapt and change. Dynamic websites can only hold up to so much traffic and in then end – ask yourself – Does the website really need to be dynamic.

Update #2 on Microsoft cloud services continuity (azure.microsoft.com)

We have seen a 775 percent increase of our cloud services in regions that have enforced social distancing or shelter in place orders.

The cloud is being used… a lot!

How to burn the most money with a single click in Azure (mijailovic.net)

After Corey asked to find the most expensive AWS resource people started looking in other places too 😂

In praise of S3, the greatest cloud service of all time (info.acloud.guru)

But S3 has become so much more than just a storage repository. As a static web server, S3 dishes up content for hundreds of thousands of websites including Netflix, Wikipedia, and the New York Times. In fact, the world has “standardized” on S3 APIs to such an extent that Google’s competing service just supports them out of the box.

Agreed 🙂

Inside the Story of How H-E-B Planned for the Pandemic (texasmonthly.com)

Longread on how H-E-B planned for the Pandemic

cancel all future O’Reilly in-person conferences and close down this portion of our business (oreilly.com)

Today, we’re sharing the news that we’ve made the very difficult decision to cancel all future O’Reilly in-person conferences and close down this portion of our business. Without understanding when this global health emergency may come to an end, we can’t plan for or execute on a business that will be forever changed as a result of this crisis. With large technology vendors moving their events completely on-line, we believe the stage is set for a new normal moving forward when it comes to in-person events.

The Post-Pandemic world for Conferences will be split 2 groups – The ones that aren’t able to adapt to a new reality where it might not be possible to run several 1000’s PAX events and the ones who adapt quickly and start to push a lot of conferences online. The main question there is… will we still pay 1000$+ conference tickets – I highly doubt it.

Will AirBnb Go Bankrupt? and When? (thehftguy.com)

Unpopular opinions there 🙂 But after seeing how many Flats got flushed back to the normal rent market in Dublin in wake of the current situation it’s clear that AirBnB has a lot of downsides. But maybe we will see a rent-price decline across a lot of cities.

Get Static (meyerweb.com)

If you are in charge of a web site that provides even slightly important information, or important services, it’s time to get static.

Get Static I

Picking Up Glowing Hot Space Shuttle Tiles with Bare Hands (kottke.org)

Ok this is just epic!

Emergency Website Kit (mxb.dev)

In cases of emergency, many organizations need a quick way to publish critical information. But existing (CMS) websites are often unable to handle sudden spikes in traffic.

Get Static II

4.2" and 7.5" NFC-powered e-Paper Displays Work without Battery (cnx-software.com)

Awww yes! Do want!

Migros-Logistik leistet Sondereffort (migros.ch)

Very well written article in German on how one of the biggest retailers deals with increased demand.

Here’s What a Googol-to-One Gear Ratio Looks Like (kottke.org)

Google’s Abandoned Android Authenticator App (shkspr.mobi)

For two-and-a-half years, Google hasn’t touched their 2FA app’s code. Perhaps it is perfect? Perhaps there are no more UI improvements or security enhancements that can be done? Or, more likely, it joins a long graveyard of Android apps – launched optimistically and then abandoned.

If you are still using the Google Authenticator App – Switch to something that makes sense… like Authy.

Certificate lifetime capped to 1 year from Sep 2020 (scotthelme.co.uk)

It’s finally happening! We’ve had 2 failed attempts through the CA/B Forum and now Apple has decided to enforce a maximum lifetime of 398 days on certificates issued from 1st Sep 2020.

If you are in a Let’s Encrypt world … Long Running Certificates feel like a very strange construct from the past.

Hacking for humanity: bag-cache.nrdy.ch

It’s been an interesting week so far. But I was saddened by the fact that the website of the Federal Office of Public Health in Switzerland was fighting and couldn’t withstand the traffic that was coming in. To be fair, I don’t have the slightest idea on how much traffic was coming in – but having run quite some big websites in the past few years I feel this issue could have been prevented. Needless to say that this is critical infrastructure and should be available. After a few Tweets Chregu setup a cache via Cloudfront and extended it later with an Nginx/Varnish combination. His mirror is available on https://bag.rokka.io/

I didn’t have too much time on Friday during the day to play around but had some ideas and always wanted to try out the Nginx proxy caching.

Enter bag-cache.nrdy.ch

It’s pretty simple but needed a few yak-shavy moments I used the nginx-cache from Paweł Mendelski as a starting point to get everything going. Currently, it caches every request for 10 minutes and tries to refresh content in the background and also trying to serve stale content if the cache can’t be updated after those 10 minutes. The core-config of the whole thing:

    location / {
      expires 30d;
      proxy_cache cache_zone;
      proxy_cache_lock on;
      proxy_cache_revalidate on;
      proxy_cache_background_update on;
      proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
      proxy_cache_valid 200 302 301 10m;
      proxy_cache_key $scheme://$host$request_uri;
      proxy_pass https://www.bag.admin.ch$request_uri;
      proxy_set_header User-Agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 (never gonna give you up, never gonna let you down - bag-cache.nrdy.ch - operated by bastian@amazee.io)";
      proxy_set_header Host www.bag.admin.ch;
      proxy_set_header Accept-Encoding ""; # no compression allowed or next won't work
      sub_filter "<!-- begin: container -->" "<p style='width: 100%; height: 100px; padding: 30px;'> ⚠️ This is a cached version and non-authoritative mirror of <a href='https://www.bag.admin.ch'>www.bag.admin.ch</a> for faster access during demanding times. It should be up to date around 10 minutes of delay.</p><!-- begin: container -->";
      sub_filter "https://www.bag.admin.ch/" "https://bag-cache.nrdy.ch/";
      add_header X-Cached $upstream_cache_status;
      add_header X-Cache-Server "amazeeio/nginx-cache";
      add_header X-Robots-Tag "noindex, nofollow";
      add_header X-LAGOON $hostname always;
      proxy_ignore_headers "Set-Cookie";
      proxy_ignore_headers "Expires";
      add_header set-cookie "";
      proxy_hide_header "x-content-type-options";
      proxy_hide_header "Set-Cookie";
    }

Way too much time was spent on figuring out why the sub_filter of Nginx didn’t work. This was in the end because the sub_filter does not unpack compressed backend requests. Fixed that by setting proxy_set_header Accept-Encoding "";. Also trying to be a good citizen and letting them know in the User-Agent string who to reach out if they don’t like the traffic from my mirror. Plus I switched off access logging of the Mirror as I don’t care about who visits the site – I only see Hits/Misses and the URI that has been hit.

The whole thing is built into a Container and then spun up on amazee.io.

Code can be found on Github – After all, It’s not rocket science and far from being perfect – Just a little bit of elbow-grease and trying to handle caching gracefully. I hope it’s of use for anyone.