Welcome to the Weekly Security Link Dump for the week of May 18th! This week, we'll take a look at some new tech, some broken crypto, and a few guides to help you improve the security of your workstation and your product.
After several high-profile articles calling for the deprecation of plaintext HTTP recently, the new HTTP/2 RFC has arrived! While it doesn't explicitly mandate SSL/TLS, HTTP/2 definitely has some improvements from a security perspective. Unfortunately, the Open Smart Grid Protocol has not had such good news this week, as researchers uncovered serious issues with some of their non-standard cryptographic algorithms. You can find out more about these and other topics below the fold.
If you have any feedback about this week's links, the format of these posts, or anything else, please let me know!Read More
Hello! This is the first post in a series that will bring you new and interesting links every week from the perspective of a Rackspace Security Engineer. I try to include links that are useful/interesting to a general audience, so you don't have to be an "uber 1337 h4x0r" to enjoy them. If you have any comments, or if you want to submit a link, feel free to leave a comment or catch me on Twitter.Read More
As the look and feel of the cloud evolves, matures, and hedges toward main stream adoption, the Solution Architects, Developers, and Infrastructure engineers of Enterprises face the challenge to determine what technologies to consume. Should I go with something that requires vendor licensing? Or should I look to Open Source technologies, such as OpenStack? Then if you do decide that OpenStack solves for your technology needs, how best could someone layout its pros and cons to their senior leadership.
Those of us who have ever had to stand in front of their Director/CTO/CIO and figuratively 'fight' for a particular technology/product completely understands that this task is not for the meek of heart. I can remember very vividly holding index cards in my hands with bullet points, as I was attempting to lay out all the reasons why OpenStack should be the company's next major infrastructure shift. Being prepared for this conversation is critical to the overall enterprises architecture, so you need to articulate clearly why OpenStack is the best choice. You can never be too prepared. There will always be questions that you as a technology advocate, will not even think of. In my opinion, being prepared is key. So let’s start on our technology layer cake.Read More
Architecting applications for a cloud environment usually means treating each cloud server as ephemeral. If you destroy the cloud server, the data is destroyed with it. But, you still need a way to persist data. Cloud block storage has typically been that solution. Attach cloud block storage to a cloud server, save your data within that cloud block device, and when/if the cloud server is destroyed, your data persists and can be re-attached to another cloud server.Read More
At first glance, Ansible and Docker seem to be redundant. Both offer solutions to the configuration management problem through very different means, enabling you to reliably and repeatably manage complicated software deployments. While you certainly can use either on its own with great success, using both together can result in a fast, clean deployment process.
There are two ways that you can combine them, both useful for different reasons. You can use Ansible to orchestrate the deployment and configuration of your Docker containers on the host, or you can use Ansible to construct your Docker container images based on Ansible playbooks as a more powerful alternative to Dockerfiles.Read More
Since the release of Gophercloud v1.0 in October 2014, we've been working hard to bring the library into parity with the other Rackspace SDKs. In addition to the services supported at the time of the release (Cloud Identity, Cloud Servers, Cloud Files, and Cloud Block Storage), Gophercloud now supports the following Rackspace services:
A Getting-Started guide for Cloud Load Balancers exists, and similar guides for the other services are being created.Read More
PyCon 2015, the annual Python conference, kicks off this week in Montréal and Rackspace will be there in full force. Python use at Rackspace is huge, from our work on OpenStack and many other related products, whether internal and external, so it makes perfect sense for us to support the conference at the Diamond level.
We'll have 13 sessions given by 10 speakers throughout the conference's tutorial and talk schedule, and our very own Van Lindberg, chairman of the Python Software Foundation, will deliver the chairman's address in a keynote slot on Sunday morning.
Be sure to stop by the Rackspace booth in the expo hall, and check out the tutorials and talks that we're giving throughout the conference!
The Internet is a dangerous place, filled with evildoers out to attack your code for fun or profit, so it's not enough to just ship your awesome new web app--you have to take the security of your application, your users, and your data seriously. You'll get into the mindset of the bad guys as we discuss, exploit, and mitigate the most common web app security flaws in a controlled environment.
Flask is a web framework for Python based on Werkzeug, Jinja 2 and good intentions. It is considered a micro-framework, but don't get the "micro" part fool you; Flask can do everything others can do, many times in a simpler, leaner way. In this tutorial session we will build a web application together. Bring your laptop and your questions!
Beginning programmers: welcome to PyCon! Jumpstart your Python and programming careers with this 3-hour interactive tutorial. By the end, you'll have hands-on exposure to many core programming concepts, be able to write useful Python programs, and have a roadmap for continuing to learn and practice programming in Python. This class assumes no prior programming experience.
IPython and Jupyter provide tools for interactive and parallel computing that are widely used in scientific computing, but can benefit any Python developer. We will show how to use IPython in different ways, as: an interactive shell, a graphical console, a network-aware VM in GUIs, a web-based notebook with code, graphics and rich HTML, and a high-level framework for parallel computing.
The cryptographic world doesn't lend itself to the typical developer flow of learning while doing. Add that to the massive amount of bad or outdated information on the web and many developers are lost or worse, build insecure systems. This tutorial will introduce developers to modern cryptography with an eye towards practical scenarios around password management, encryption and key management.
This tutorial will walk the attendees through development of a simple game using Kivy with time left over for some experimentation and exploration of different types of games.
Come learn how cloudpipe works, how to use it, and how to hack on it as a contributor.
A very brief introduction to the theory and practice of distributed systems.
Writing a fully complaint REST API is hard, so hard it is too common for APIs to violate one or more of the REST architectural principles. In this talk I will describe the six REST principles, and I will tell you what happens if you don't follow them.
As more of the world is controlled by software, software developers have an increasing obligation to serve that world well. Yet, we don't yet have a sense of what makes a good ethical standard. The fast pace, success, and youth (in both historical and demographic terms) of our industry have given us the sense that such a standard might not be required. This talk will correct that misconception.
A brief and opinionated view of testing applications and libraries that use requests by a core-developer of requests. You will receive an overview of testing with responses, vcr, httpretty, mock, and betamax.
Working with weak references should not just be for Python wizards. Whether you have a cache, memoizing a function, tracking objects, or various other bookkeeping needs, you definitely do not want code leaking memory or resources. In this talk, we will look at illuminating examples drawn from a variety of sources on how to use weak references to prevent such bugs.
Gumshoes, the rogue program
san_diego.py is threatening to cause havok!
What is it doing to hide itself? What kind of things is it doing? Who might
it be communicating with? RAM is a big place - how can we even find it,
much less any of this information? Stay tuned and find out!
So how did we get to Jython 2.7 anyway? And what are our future plans? In this talk, you will get a taste of how Jython works, some new functionality, and especially how Jython leverages both Python and Java to provide a very compatible solution.
If you can't make any of these talk sessions, they'll be recorded and made available online shortly after the conference concludes. We'll have a second post to share them once they're all online!Read More
As a PhD student at UC Berkeley, my duties involve some amount of teaching; so, this semester (Spring 2015), as well as last spring, I have been a teaching assistant for a class taught by my advisor, Tom Griffiths. The class, called Computational Models of Cognition (COGSCI 131), aims to introduce students to computational models of human behavior. The problem sets are a mixture of simple programming assignments—usually requiring students to implement pieces of different models—and written answers, in which students report and interpret the results of their code.
In the past, the problem sets were written in MATLAB. This year, however, we decided to make the switch to Python. In particular, we decided that the IPython/Jupyter notebook would be an ideal format for the assignments. The notebook is a cross-platform, browser-based application that seamlessly interleaves code, text, and images. With the notebook, it is possible for us to write instructions in the notebook, include a coding exercise after the instructions, and then ask for their interpretation of the results immediately after that. For an example of what the notebook looks like, you can check out try.jupyter.org for a demo.Read More
ClojureBridge aims to increase diversity within the Clojure community by offering free, beginner-friendly Clojure programming workshops for women. On March 13-14, 2015 we held a ClojureBridge event at the Rackspace office in Austin, TX. It was put on by an amazing group of organizers to foster the adoption of Clojure by women in technology.Read More
MongoDB Inc just released what is arguably the most important change to the MongoDB database in its short history.
MongoDB version 3.0
MongoDB 3.0 brings with it a wealth of new features, but most notably a new pluggable storage engine API. We wanted to help customers get familiar with the new storage engine and features quickly and easily.
Because of the new pluggable storage engine API, MongoDB 3.0 promises a massive leap forward in functionality, usability and features. Developers, DevOps Engineers and DBA's should start getting acquainted with MongoDB 3.0. In particular:
Full Release Notes
From a community standpoint, the more people using 3.0 and filing any bug reports the better. We wanted a quick and easy way for folks to experiment. We needed tooling. A couple attributes of the tooling we thought where really important are:
We created an Ansible playbook that installs and configures a simple MongoDB 3.0 configuration. It takes just a few minutes to setup and is completely customizable.
Installation is 4 simple steps:
Complete and up-to-date installation and configuration instructions.
In a nutshell:
For this, you need to have git and Ansible installed. Installation is pretty easy. For most systems you simply need to:
# Centos/RHEL # Ansible sudo yum install ansible # git sudo yum install git
Simply clone the repo to the box where you installed Ansible:
git clone https://github.com/rackerlabs/ansible-mongodb.git
We need to tell Ansible to use the host(s) where we want MongoDB to be installed. We need to ensure we tell Ansible the correct configuration for our host(s), as well as set any startup parameters we want.
# edit hosts file, and change <MYIP> to the ip address of the host to provision vi hosts.txt # install the required roles ./mongodb_roles.sh # alter the default config (or at least inspect it for being correct) vi roles/ansible-roles_mongodb-install/defaults/main.yml
Simply launch the helper shell scripts:
cd ansible-mongodb ./setup-mongodb.sh
For a fully managed solution with replica sets and sharding, hit up firstname.lastname@example.org and the support folks will install and configure a MongoDB 3.0 instance in the ObjectRocket fully managed environment.Read More