Containers are a decent technology, whether they’re FreeBSD’s Jails, Solaris Zones or Linux’s version. Linux comes with the LXC tools which can be quite useful to managing the containers. If you’re happy to use NAT in front of each container, or a proxy (such as SSH configuration using ProxyCommand to ssh to the containing host) or a web-proxy in front of services, the defaults are decent enough; to be able to directly connect to container service, you want the containers to be on a network which is reachable from outside that machine.
Effective immediately, I will no longer be issuing CACert assurances. My disillusionment has just boiled over, to a level where I do not want to expend any more energy supporting a project where politics has won out over practical security. While it’s a shame that politics elsewhere have kept the CACert root certificate out of browser default trust anchors, CACert remained useful enough as a “private CA which other technical people can probably verify more readily than a certificate from my own CA”.
I’ve had a few people ask me about Bitcoin recently. Rather than repeat myself more than I already have, I’m going to collect together some insightful links and copy/paste liberally from a public Facebook post’s comments, where I wrote on the topic when asked. My thanks to Marc Whitmore for prompting the initial discussion, hosting my diatribe in his comments with nary a cross word, and generally being a true gentleman.
As I mentioned in Forthcoming blog move, I was planning to switch my site hosting away from Google Blogger. Of course, that post was back in September. I just spent a little time applying the fixes needed to have some basic styling; on the advice of my colleague Jon, I took a look at Foundation as a site framework; major points in its favour are that it touts semantic markup and accessibility, which are two issues that matter to me.
A colleague recently enthused about TCP FastOpen being in the Linux kernel; being a grumpy old fart, this troll had ignored such things as always being security holes, such as T/TCP proved to be. So I just looked back over LWN’s article on the topic, to better understand why we might want to enable this on our webservers. As far as I can see, if you have a path link where others can observe Server→Client traffic, but not influence its routing, and can inject packets without being subject to BCP 38 Network Ingress Filtering, then TCP FastOpen lets an attacker send data, using a purloined TCP cookie, and have it acted upon by a server without the server verifying that the stated IP really did send the traffic, bypassing source-bound security checks.