• 1C and Elastic Compute Service Alibaba Cloud

      If you know how to do something well, there is always an Asian who can do better
      (one of the most popular Internet memes).

      Aliexpress has already become a household name in the whole world. But Alibaba Group is not only the Internet mall, but also the number one cloud computing service in China. I ask those who are interested under the cut…

      Read more →
    • DoT for RPZ distribution

        Just a few months ago there were a lot of buzz because IETF in expedited time frame (about one year) accepted DNS over HTTPS (DoH) as a standard (RFC-8484). The discussions about that are still going on because of its controversy. My personal opinion is that DoH is good for personal privacy (if you know how to use it and trust your DNS provider) but it is a security risk for enterprises. DNS over TLS (DoT) is a better alternative for enterprise customers only because it uses a well-defined TCP port but for personal privacy it is not good because of the same reason (easy to block).
        Read more →
      • How to vendor a git into another git

          Discovering git vendor extension.


          Cross-post from my medium blog: https://medium.com/opsops/git-vendor-295db4bcec3a


          I would like to introduce the proper way to handle vendoring of git repositories.


          What is is ‘vendoring’?


          Vendoring is a way to integrate other’s work into your own. It’s the opposite of ‘linking’ against third-party library. Instead of having that library as a dependency, application uses this library as a part of own source code and keep that code ‘inside’ itself.


          Normally, vendoring is done by language tooling: bundler, cargo, pip, etc. But sometimes you need to vendor something not covered by any existing toolset, or something multi-language, that it’s impossible to find the ‘core’ language tool for that.


          The solution for this situation is vendoring on a git level. You have your own git repository (I call it ‘destination repo’), and you want to incorporate some other repository (I call it ‘source repo’) as a directory into your (destination repo).


          The things you expect from a well-designed vendoring system (regardless of Git it is or not):


          • Visibility. You want to know that some code is vendored, means it wasn’t written by committer.
          Read more →
        • Eliminating opportunities for traffic hijacking


            Beautiful scheme for BGP connection to Qrator filtering network

            A little historical overview


            • BGP hijacks — when an ISP originates an advertisement of address space that does not belong to it;
            • BGP route leaks — when an ISP advertises prefixes received from one provider or peer to another provider or peer.

            This week it has been 11 years since the memorable YouTube BGP incident, provoked by the global propagation of a more specific prefix announce, originated by the Pakistan Telecom, leading to an almost 2 hour in duration traffic disruption in the form of redirecting traffic from legitimate path to the bogus one. We could guess if that event was intentional, and even a correct answer wouldn’t help us completely prevent such incidents from happening today. While you read this, a route leak or a hijack is spreading over the networks. Why? Because BGP is not easy, and configuring a correct and secure setup is even harder (yet).

            In these eleven years, BGP hijacking became quite damaging attack vector due to the BGP emplacement in the architecture of modern internet. Thanks to BGP, routers not only acquire peer information, and therefore all the Internet routes — they are able of calculating the best path for traffic to its destination through many intermediate (transit) networks, each representing an individual AS. A single AS is just a group of IPv4 and/or IPv6 networks operating under a single external routing policy.
            Read more →
          • Pentesting Azure  — Thoughts on Security in Cloud Computing

              A few months ago I worked with a customer on how a team should evaluate the security of their Azure implementation. I had never done a pentest(extensive security testing)on an Azure application before, so these ideas were just the thoughts off of the top of my head at that time based on my experience in security.

              Matt Burrough’s book, Pentesting Azure Applications, goes even deeper and it is a must-read for security experts focused in Cloud Computing, I’m reading it right now.

              Below I share with you these pre-book thoughts, and will compare them in a future article with the ones I will learn — or confirm — after reading Matt's book.

              Read more →
            • You Do Not Need Blockchain: Eight Well-Known Use Cases And Why They Do Not Work

                image


                People are resorting to blockchain for all kinds of reasons these days. Ever since I started doing smart contract security audits in mid-2017, I’ve seen it all. A special category of cases is ‘blockchain use’ that seems logical and beneficial, but actually contains a problem that then spreads from one startup to another. I am going to give some examples of such problems and ineffective solutions so that you (developer/customer/investor) know what to do when somebody offers you to use blockchain this way.


                Disclaimers


                • The described use cases and problems occur at the initial stage. I am not saying these problems are impossible to solve. However, it is important to understand which solutions system creators offer for particular problems.
                • Even though the term ‘blockchain use’ looks strange and I am not sure that blockchain can be used for anything other than money (Bitcoin), I am going to use it without quotes.

                1. Supply chain management


                Let’s say you ordered some goods, and a carrier guarantees to maintain certain transportation conditions, such as keeping your goods cold. A proposed solution is to install a sensor in a truck that will monitor fridge temperature and regularly transmit the data to the blockchain. This way, you can make sure that the promised conditions are met along the entire route.

                Read more →
              • Choosing true wireless earbuds: 6 months later…

                • Translation


                Once I put on true wireless headphones and all the cables after that (even if it's a flexible headband on a “wireless” headset), became annoying. So I’ve tried a lot of AirPods-like earbuds in order to find the best ones. In 2018 aside from the AirPods themselves I tried: Jabra Elite 65+, Samsung IconX 2018 and Sony WF-1000X. The result was a neat table with all the objective data. Everything else — my personal opinion — let's discuss in the comments.
                Read more →
              • Introduce Static Analysis in the Process, Don't Just Search for Bugs with It

                  This article is an authorized translation of the original post. The translation was made with the kind help of the guys from PVS-Studio. Thank you, guys!

                  What encouraged me to write this article is considerable quantity of materials on static analysis, which recently has been increasingly coming up. Firstly, this is a blog of PVS-Studio, which actively promotes itself on Habr posting reviews of errors, found by their tool in open source projects. PVS-Studio has recently implemented Java support, and, of course, developers from IntelliJ IDEA, whose built-in analyzer is probably the most advanced for Java today, could not stay away.

                  When reading these reviews, I get a feeling that we are talking about a magic elixir: click the button, and here it is — the list of defects right in front of your eyes. It seems that as analyzers get more advanced, more and more bugs will be found, and products, scanned by these robots, will become better and better without any effort on our part.

                  Well, but there are no magic elixirs. I would like to talk about what is usually not spoken in posts like «here are things that our robot can find»: what analyzers are not able to do, what's their real part and place in the process of software delivery, and how to implement the analysis properly.


                  Ratchet (source: Wikipedia).
                  Read more →
                • Flightradar24 — how does it work?

                    I’m going to hazard a guess and say that everyone whose friends or family have ever flown on a plane, have used Flightradar24 — a free and convenient service for tracking flights in real time.



                    But, if my friends are any indication, very few people know that the service is community-driven and is supported by a group of enthusiasts gathering and sending data. Even fewer people know that anyone can join the project — including you.

                    Let’s see how Flightradar and similar other services works.
                    Read more →
                  • 6 Applications for the Industrial IoT

                      “Come on, baby, what’s wrong? Tell me what you need,” my uncle Nicholas was shredding up his old car’s engine, which totally refused to start. Being a schoolboy back then, I was absolutely sure that any exhortation my uncle voiced was powerless against a dumb ton of metal. Talking to a car was just a psychological trick that probably helped my uncle cope with exasperation. Moreover, neither me nor my uncle believed in a possibility to communicate with “dead metal” sometime in the near future. That was in the mid-1980s. When I reached the age of my uncle, the situation changed radically.
                      Read more →
                    • Building a Private Currency Service Using Exonum

                        Zero-knowledge proofs/arguments are an emerging cryptographic technology that promises to bring us closer to the Holy Grail of blockchain: providing data privacy and auditability.

                        Potential applications for zero-knowledge include, but are not limited to:


                        Another application for zero-knowledge proofs is helping blockchains scale. ZKPs allow for the “compressing” of computations for blockchain transactions without sacrificing security.

                        In this article, we describe how zero-knowledge (specifically, Bulletproofs) can be applied to build a privacy-focused service using Bitfury’s Exonum platform.

                        Read more →
                      • Internet Issues & Availability Report 2018–2019

                          image

                          While working on the annual report this year we have decided to avoid retelling the news headlines of the previous year and, though it is almost impossible to ignore memories absolutely, we want to share with you the result of a clear thought and a strategic view to the point where we all are going to arrive in the nearest time — the present.

                          Leaving introduction words behind, here are our key findings:

                          • Average DDoS attack duration dropped to 2.5 hours;
                          • During 2018, the capability appeared for attacks at hundreds of gigabits-per-second within a country or region, bringing us to the verge of “quantum theory of bandwidth relativity”;
                          • The frequency of DDoS attacks continues to grow;
                          • The continuing growth of HTTPS-enabled (SSL) attacks;
                          • PC is dead: most of the legitimate traffic today comes from smartphones, which is a challenge for DDoS actors today and would be the next challenge for DDoS mitigation companies;
                          • BGP finally became an attack vector, 2 years later than we expected;
                          • DNS manipulation has become the most damaging attack vector;
                          • Other new amplification vectors are possible, like memcached & CoAP;
                          • There are no more “safe industries” that are invulnerable to cyberattacks of any kind.

                          In this article we have tried to cherry-pick all the most interesting parts of our report, though if you would like read the full version in English, the PDF is available.
                          Read more →
                        • How to prevent targeted cyber attacks? 10 best network sandboxes



                            Targeted attacks are the most dangerous among the multitude of modern cyber threats. They are also known as ATP (an abbreviation which stands for Advanced Persistent Threat). Those are not viruses that can accidentally get into the computer due to user's carelessness. Neither it is an attempt to replace the address of a popular site in order to cheat billing information from credulous users. Targeted cyber attacks are prepared and thought out carefully and pose a particular threat.
                            Read more →
                          • Open Source developer's life in GIFs

                              Sberbank is the largest bank in Russia and Eastern Europe. Our team in Sbertech teaches Sberbank efficient work with Free & Open Source Software. You can read more about this on Habr (what we exactly do, yet in Russian).

                              One of the main challenges is to open the mind of managers and engineers for using FOSS (Free & Open Source Software) properly. Because we have a lot of them, we have tried to use GIFs for answer the most common questions.

                              image

                              Read more →
                            • Generic Methods in Rust: How Exonum Shifted from Iron to Actix-web

                                The Rust ecosystem is still growing. As a result, new libraries with improved functionality are frequently released into the developer community, while older libraries become obsolete. When we initially designed Exonum, we used the Iron web-framework. In this article, we describe how we ported the Exonum framework to actix-web using generic programming.

                                Read more →
                              • Understanding the POCSAG paging protocol

                                  Long time ago, when a mobile phone costed about 2000$ and one minute of voice call was 50 cents, pagers were really popular. Later cellular phones became cheaper, calls and SMS prices became lower, and finally pagers mostly disappeared.


                                  For people, who owned a pager before, and want to know how it works, this article will be useful.
                                  Read more →
                                • Checklist: what had to be done before deploying microservices to production

                                    This article contains a brief squeeze from my own experience and that of my colleagues, with whom I had been fighting incidents day and night. And many incidents would never have occurred if all these microservices that we love so much were written at least a little more carefully.


                                    Unfortunately, some programmers seriously believe that a Dockerfile with any team at all inside is a microservice in itself and can be deployed even now. Dockers are running — money are incoming. This approach turns into problems starting from performance degradation, inability to debug, service failures and ending in a nightmare called Data Inconsistency.


                                    If you feel that the time has come to launch one more app in Kubernetes / ECS / whatever, then I have something to object to.

                                    Read more →