[01:45] brycec: i live in california and don't know spanish [01:46] i'm learning german... (not very useful in cali, i suppose, but i like the language) [01:54] i want to learn spanish [01:54] but no-one around here speaks spanish [03:40] I used Duolingo to learn a bit of Spanish in the run up to a trip through Argentina last year. It wasn't too hard to get up to the level of being able to order food in a restaurant without looking like a complete idiot. [03:41] The confusing bit was flying through Brazil to get there. Are they talking Spanish to me and I am jetlagged and don't understand them, or was that Portugese? [03:59] *** tabthorpe has quit IRC (Ping timeout: 255 seconds) [04:32] mercutio: well, *nobody* speaks german around here, but with a little resourcefulness i found that wasn't a problem. ant and i chat in #arpnetworks-de; with skype / whatsapp / etc... i also chat daily with germans/austrians/swiss [04:34] *** qbit has quit IRC (Ping timeout: 252 seconds) [04:35] yeah chatting daily is the closest to immersion you can get without actually living somewhere german speaking [05:00] *** BryceBot has quit IRC (Ping timeout: 245 seconds) [05:01] *** brycec has quit IRC (Ping timeout: 255 seconds) [05:15] mercutio: yeah [05:32] *** tooth has quit IRC (Remote host closed the connection) [05:36] up_the_irons: one of my VMs just spontaneously rebooted. Thoughts? The one on kvr12 (or whatever the higher kvr is). [05:37] Dirty disk on reboot, so it would seem the host rebooted it [05:37] would have been venom patch [05:40] mhoran: we're rebooting hosts to patch venom [05:48] hmm it doesn't get acpi shutdown notification? [05:51] Kvr10 actually. Cool. It did not shut down cleanly, it seems. [05:51] kvr15 doesn't seem to have rebooted [05:51] Well as long as I didn't get hacked, hooray [05:55] *** qbit has joined #arpnetworks [05:55] *** qbit is now known as Guest82907 [05:55] *** Guest82907 is now known as qbit [06:02] mah vps was rebooted [06:02] qbit: venom patch [06:02] ah [06:03] makes sense.. but i wish there had been a notification or something :D [06:03] there was something on twitter [06:04] but yeah no email strangely [06:04] up_the_irons: you didn't mail everyone? [06:23] * mhoran didn't get an email [06:24] this time around, i did not email everyone. i really wanted to focus on actually patching things asap. I put it on Twitter though (i know it's not the best way to announce, but something...) [06:24] And I don't twitter. [06:24] sorry [06:32] No worries just wanted to know what happened. [06:32] I was worried because we did maintenance of our own last night [06:32] And if course I woke up to see it was down. [06:51] * RandalSchwartz yawns [06:56] *** BryceBot has joined #arpnetworks [06:58] *** brycec has joined #arpnetworks [07:01] *** tooth has joined #arpnetworks [07:02] * brycec grumbles about necessary reboots that happen while he was sleeping leaving his VPS offline until he awoke and enter the luks passphrase [07:08] Oh... that would also explain one of my client's hosts downtime this morning. [07:09] luckily, I don't have my phone on anything but vibrate. :) [07:09] twss [07:09] Okay! twss! 'luckily, I don't have my phone on anything but vibrate. :)' [07:09] or I would have been notified of pagerduty pings. :) [07:10] I'm still wondering why my stonehenge.com box hasn't been rebooted. [10:26] so there were reboots last night then? [10:27] Yes, but not on all hosts [10:27] Yea.. Just the hosts my clients are on.. YAY :) [10:27] haha [10:27] my personal host but not my company's VPS (and naturally our dedicated box is unaffected yay) [10:28] up_the_irons are the rest of the hosts going to need a reboot as well? (assuming so) [11:00] *** BryceBot has quit IRC (Quit: Standby for reinitialization...) [11:00] *** brycec has quit IRC (Quit: Cheerio, mates.) [11:11] my landlord is finally installing fiber to each apartment in my building [11:25] *** BryceBot has joined #arpnetworks [11:26] *** brycec has joined #arpnetworks [11:32] I wish I could suspend my vm let up_the_irons reboot the host and resume. So many tmux windows [11:36] with CRIU, you could. :) [12:21] Next time it might be good to inform this channel of a system reboot. Though I don't know: maybe more customers use Twitter than IRC these days. [12:27] mnathani_: I feel your "pane" *rimshot* [12:27] I dumped my tmux servier-info so I have a snap of what I had arranged at least [12:27] *** KILLALLHUMANS01 has joined #arpnetworks [12:28] (and my ps to be sure I restarted everything I had running by hand) [12:29] And now I'm taking the opportunity to grow my disk (been running on my original 10GB partition table forever even though I upgraded to a 40GB disk) and upgrade to Jessie. [12:42] mike-burns: I wish he would e-mail. That's the way I'd expect news like that to come from him. [13:10] Yea, that's how it should be delivered. [13:10] I had to find out there was issues from clients [13:10] I suppose it's nice and considerate that ARP almost *never* emails... but maybe that needs to change slightly [13:29] *** BryceBot has quit IRC (Quit: Standby for reinitialization...) [13:29] *** brycec has quit IRC (Quit: Cheerio, mates.) [13:42] *** BryceBot has joined #arpnetworks [13:45] *** brycec has joined #arpnetworks [14:09] I have a fresh install of arch in virtualbox [14:09] what is the precise order of things that need to install in order to have a functioning xorg server where startx launches plasma (kde) [14:09] the last couple of times I tried I failed [14:10] RandalSchwartz: whats CRIU? [14:10] @google criu [14:10] (Sorry, BryceBot is offline for the moment) [14:10] his BNC is here though [14:10] :) [14:10] Yep (ZNC) [14:12] Just upgraded to ZNC 1.4 and excited to play with its new features too (notably support for networks-under-users) [14:12] (rather than one user=network as it has been in the past) [14:14] Google API failure :( [14:15] And now the wonders of running BryceBot behind a bouncer - it can catch up [14:15] (sadly it can also fail [14:16] "PHP message: cURL_error: Protocol "https" not supported or disabled in libcurl" [14:16] the fun of upgrades :D [14:31] brycec: lol on the use of pane / pun I am just re-reading [14:31] :) [14:36] Our PCI-compliance scan requires that I now disable even TLSv1.0 [14:36] they made us remove SSLv2 and v3 two months ago [14:37] problem is... apache22 freebsd port compiled against the system openssl... [14:37] those are the only three protocols it knows! [14:37] oops [14:37] so now I have to recompile everything against the openssl port instead :) [14:38] criu http://twit.tv/show/floss-weekly/334 [14:38] thanks RandalSchwart [14:39] RandalSchwartz: is that freebsd 8? [14:40] no... now 9 [14:40] we moved off 8 for all the machines in his cluster [14:41] I still have to do stonehenge, but I'm more confident that it's gonna be straightforward [14:42] so even freebsd 9 doesn't support tls 1.1 ? [14:48] the core openssl is 1.0 [14:48] so no. [14:48] but the port openssl is 1.0.2 [14:48] so probably I should have switched to that already :) [14:48] OpenSSL 1.0.2a 19 Mar 2015 [14:48] i have 1.02a it sems [14:49] i wish versions would go in bigger jumps [14:49] i wonder if reebsd will shift to libressl [15:00] lol RandalSchwartz [15:02] Been there and dealt with that from the other side. We had to add a checkbox to our product to specifically enable TLS 1.0 for old/legacy browsers that don't support 1.1. (originally TLS 1.0 was enabled by default, but it triggered too many customers' PCI scans) [15:17] NoScript is kind of annoying tbh [15:20] the web is kind of annoying too :) [15:20] it has become so important to not communicate so much as to present information [15:21] and so you can't just view a whole lot of information nicely, but instead you have to put uup with animations, etc. [15:21] the ad thing has got way out of hand too [15:21] i don't get why [15:22] well i don't get why on tech sites. [15:46] is there any way to pre-populate a slight-variant poudriere so I don't have to always build all the packages from scratch? [15:46] hmm. maybe I should ask that in #freebsd [16:05] *** awyeah has quit IRC (Quit: ZNC - http://znc.in) [16:07] *** awyeah has joined #arpnetworks [18:01] mnathani_: i wish i could easily suspend them as well [18:04] pjs: mkb KILLALLHUMANS01 : I'm sorry guys for not sending an email. I rebooted hosts in haste; was kinda scared. I've never had so many people open tickets about a vulnerability, asking, "When are you gonna patch yo' shit?" [18:05] some sites were advising people to ask their host about when it was being patched. [18:07] http://www.nbcnews.com/tech/security/venom-new-security-bug-scary-it-sounds-n359836 [18:07] i mean people are going around saying it's worse than heartbleed [18:08] http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/ [18:08] like zdnet is saying it's bigger than heartbleed [18:09] lol up_the_irons sorry for adding to that pile. [18:09] (KILLALLHUMANS01 = brycec) [18:10] oh zdnet have upgraded, potentially exploitable to "can break out of virtual machine" [18:11] s/".*/"literal description of what the vulnerability is" [18:11] oh zdnet have upgraded, potentially exploitable to "literal description of what the vulnerability is" [18:11] can you actually break out of the virtual machien? [18:11] " That can allow a hacker to break out of their own virtual machine to access other machines -- including those owned by other people or companies." [18:12] That's what it is, yeah. Allows you access to host memory (well, that which is available to the qemu process running on the host0 [18:12] i thought it was just an overrun [18:13] that doesn't necessarily mean it's exploitable [18:14] It's considered exploitable until proven otherwise [18:14] because it's *potentially* exploitable [18:14] i prefer to keep it at potentially exploitable, until known exploitable. [18:14] it's hard to prove something isn't exploitable. [18:14] Once you have access to memory at random, you can theoretically do whatever [18:15] how much memory do you get access ot? [18:15] to? [18:15] I don't know for sure, would have to look at the source to be sure, but could be quite a bit, probably at least 64kb [18:16] The host's best defense would be ASLR at least [18:16] up_the_irons: Did you see this http://www.venomfix.com/ supposedly a way to patch without rebooting. [18:17] (It's a save/restore state deal)_ [18:17] brycec: np [18:17] brycec: tnx [18:18] the thing about venom is, it is good marketing. it's called VENOM. we've seen vulnerabilities a handful of times where someone could "break out" of a guest. Why is everyone freaking out over VENOM? On Ubuntu, they are still confined to the AppArmor profile, which is pretty restrictive. [18:18] I'm just happy it works as a backronym and isn't a completely silly name [18:18] haha [18:19] sounds like an 80s villian [18:19] villain [18:19] probably because there have been a handful of villains named "venom" [18:19] ARPNetworks: Now 100% VENOM-free! [18:19] My favourite is Spiderman's Venom [18:20] brycec: thanks for the rebootless patch info. I would almost use it, but i think there may even be other kernel patches that _should_ probably go in with the venom fix. and since everyone else is experiencing downtime and reboots at this point (like, at other providers), seems like a good time to bounce everything. [18:21] heh np - just passing it along off the venom website [18:21] http://img.phluxbox.com/screenshots/sher2E.png [18:28] mercutio: a cursory glance of the source looks like it could allow access to 2,147,483,647 (INT_MAX) [18:30] mercutio: you can see that fdctrl->fifo[] is addressed by an int (presumably 32-bit, could be larger, prior to the patch) https://github.com/qemu/qemu/commit/e907746266721f305d67bc0718795fedee2e824c#diff-516dcbd6a7e99f71c8340895ff28816bL2007 [18:30] Github Commit: "fdc: force the fifo access to be in bounds of the allocated buffer by Petr Matousek" [18:35] phlux: LOL [18:35] well, guys, i'm not done YET [18:35] still got a lot of hosts to go... [18:36] like kvr18 [18:38] so I think VirtualBox > qemu as far as running X goes [18:38] also, up_the_irons: do you like Megadeth? [18:39] I know that my server hasn't been rebooted yet [18:39] I presume you're gonna eventually reboot every one [18:40] RandalSchwartz: i think your VM is on an old host (the bad: it's old, the good: no new VMs get provisioned there, so over time you get more of the machine to yourself ;) [18:40] (the bad: You don't actually get control of the host still, or more RAM/HDD provisioned :P) [18:41] lol "pfSense® VMware® Ready Virtual Firewall Appliance" [18:41] RandalSchwartz: those hosts will probably not be patched at this time, instead they'll be upgraded fully to Ubuntu 14.04. Upgrades like this generally have a 1.5 hour maintenance window (downtime). [18:41] up_the_irons++ [18:41] * brycec thinks VMWare-certified appliances is sorta silly for most things [18:43] yeah [18:44] well - other than chris0 going silent, none of neil's hosts have been reset either. [18:44] So I presume more things will happen soon [18:44] wait - prior to patching, I *can* get full control of the host! [18:45] * RandalSchwartz downloads Venom RootKit {grin} [18:45] lol RandalSchwartz no you only get access to as much as the qemu process has access to, which isn't much because it's walled [18:45] uh oh [18:45] rip arpnetworks [18:46] RandalSchwartz is going to take over the host and destroy the business [18:46] nice knowing you all [18:47] heh [18:55] phlux: LOL [19:04] randal is going to take over the hosts and replace all the linux with freebsd. [19:05] replace all the guests linux that is [19:06] "we've secretly replaced this client's linux with an actual unix distro..." [19:06] "let's see if he notices..." [19:06] mercutio: lol [19:06] "wait... what... where are my 45 options for ls?" [19:06] haha [19:06] gnu ls comes with freebsd doesn't it? [19:06] it can be installed [19:07] oh [19:07] the default ls is the *real* ls [19:07] it comes with solaris [19:07] ahh cool [19:07] lolol RandalSchwartz [19:07] not the gnu monstrosity [19:07] yeah i'm pretty anti gnu [19:07] and in the latest freebsd, gcc is now no longer the default [19:07] yeah that's cool [19:07] or so I'm led to believe [19:07] I wonder if you could get away with replacing bash with another bourne shell, if "anyone" would notice... [19:07] clang is on par with gcc for performance in my basic experiments [19:07] yeah [19:07] and it has nicer error messages. [19:08] clang that's it [19:08] Much nicer :) [19:08] ooh and way faster compiles. [19:08] less memory uusage when compiling too [19:08] is it compatible? [19:08] can I introduce it incrementally? [19:08] brycec: ksh! [19:08] I think that might be a bit too different from bash... who knows [19:09] i think it's easy to notice shell replacements cos tehy all act slightly different [19:09] i've got this long standing issue with bash ... it seems to somehow randomly lose history lines [19:09] so you upress up arrow and it's not there! [19:09] err it seems to be when i cut and paste things in usually [19:10] How odd. I can see that happening with separate bash shells because they handle history files "weird" (one usually prepends its entire active history to the other). But in the same shell instance, not a clue [19:10] this is with a single [19:10] i'm always remote logged in [19:10] i never use bash locally :) [19:11] but i've had it happen on more than one different system [19:11] * brycec uses zsh in 9/10 of where he logs in [19:11] (okay that's closer to 8/10 I think) [19:11] but yeah there is the multi shell history thing that makes me want to use zsh too [19:11] It's really handy [19:11] up-arrow and complete for a command I just ran in a different window [19:12] I don't chsh, but I do set tmux default shell to zsh [19:12] (well I ^R more) [19:12] i chsh [19:12] that way, if zsh ever breaks, I can still ssh and fix things [19:12] even on openbsd root shell [19:12] wow... trusting [19:12] :O [19:12] and then i find that all packages stop working with update :) [19:12] Yeah no kidding. [19:12] root's shell is *always* something from base (as in, always ksh) [19:12] that bit me with the reinstall all packages openbsd thing [19:13] * brycec points, laughs [19:13] yeah [19:14] it wasn't too bad to fix [19:21] http://paste.ee/p/KPlaq#385gqSTRyEF59W1HJlGFS16tTxnR627h interesting route selection there (VIBE Communications lg) [19:22] god that's long [19:22] what's interesting about it? [19:22] god that's long [19:22] twss [19:22] Okay! twss! 'god that's long' [19:23] mercutio: its picking the route via Portlane instead of the ARP Networks one [19:23] 45177 45177 45177 45177 42708 6.733 i [19:23] that's what i see through vibe [19:23] becuase i have upstream with vibe [19:23] but it's picking 17746 4610 4826 25795 6.733 i [19:23] vibe are on any2ix though [19:24] * staticsafe nods [19:24] and the slightly shorter route is hitting any2ix [19:24] i see the community tags for any2ix [19:24] i thought it was taking a different path before [19:24] i mean the any2ix path [19:25] 202.49.71.24 is an ip that should come back via any2ix/vibe [19:26] static: what made you check vibe for lg? [19:26] i've been checking LGs all over the place to see how routes are [19:26] ahh [19:27] oh vibe is screwy [19:27] they're on linx [19:27] been troubleshooting a v6 routing issue with Portlane atm, it dies inside their network for some reason [19:27] and they don't seem to add hops for it [19:27] but it looks like they're peering directly with portlane, or linx doesn't add their asn in [19:28] they're also peering directly with arp though.. [19:28] is portlane... portland++ :) [19:29] BGP Peers Observed (v4): 1,080 - portlane peers with a lot of folks [19:29] portlane is some sweden provider i think [19:29] (lol RandalSchwartz ) [19:29] RandalSchwartz: heh, wrong side of the world [19:29] yeah its a Swedish company [19:29] Same as C++ != D [19:29] perl -le '$x = "portland"; $x++; print $x' [19:29] heh [19:30] @py "portland" + 1 [19:30] TypeError: cannot concatenate 'str' and 'int' objects [19:30] bah [19:30] python is so weak [19:30] BryceBot: WHO CARES ABOUT PROPER LANGUAGE GRAMMAR [19:31] or sigils... think of the sigils! [19:34] ... http://en.wikipedia.org/wiki/Sigil_(computer_programming) [19:34] Sigil (computer programming) :: In computer programming, a sigil (/ˈsɪdʒəl/ or /ˈsɪɡəl/; plural sigilia or sigils) is a symbol attached to a variable name, showing the variable's datatype or scope, usually a prefix, as in $foo, where $ is the sigil. Sigil, from the Latin sigillum, meaning a "little sign", means a sign or image supposedly having magical power. In 1999 Philip Gwyn adopted the term "to mean the funny character at the front [19:34] mercutio: Portlane's promoscuous peering seems to result in some interesting routes [19:35] portlane's promiscuious peering... PPP! [19:35] hah [19:37] BryceBot: time in Sweden [19:37] aw [19:38] @wa time in sweden [19:38] current time in Sweden;4:36:43 am CEST -> Saturday, May 16, 2015;Stockholm, Sweden, , 4:36:43 am CEST, Saturday, May 16;2:36:43 am GMT -> Saturday May 16, 2015 [19:38] ahh [19:38] protip: You can't just invent syntax. [19:38] @protip [19:38] Protip #4: Packup a 40GB ISO of data, then have up_the_irons attach that to your VPS. Voila, free read-only storage! [19:38] lololol [19:39] @wa where am i [19:40] current geoIP location;IPv4 address->107.178.195.232, IPv6->::ffff:6bb2:c3e8, (as seen by Wolfram|Alpha) [19:40] what address is that? :) [19:40] Google [19:40] The WA API endpoint logic runs on a Google Cloud thinger [19:40] @wa next solar eclipse visible from north america [19:40] Error fetching URI. [19:41] oops :) [19:41] (That's the exact error back from said WA API thinger) [19:41] @wa 300 USD to MXN [19:41] Error fetching URI. [19:41] oops [19:41] (If I were in control, it would be a much more useful API) [19:41] rate-limit? [19:41] @exch 300 USD MXN [19:41] 300 USD -> 4506.933 MXN (as of Fri, 15 May 2015 19:01:08 -0700) [19:41] ^ different API at least [19:41] oooh. that was 4666 two weeks ago [19:41] highest I've ever seen it [19:42] @exch 300 USD MXN 2015-05-01 [19:42] 300 USD -> 4651.335 MXN (as of Fri, 01 May 2015 16:00:00 -0700) [19:42] I should have gone long [19:43] * mkb wonders when he's going to get rebooted [19:44] I wonder what $1 in Prussian Franks is now [19:45] I have some venezuelan money from before the re-evaluation [19:45] something like a 20,000 note [19:45] which was about $10 or so [19:48] ... The government announced on 7 March 2007 that the bolívar would be revalued at a ratio of 1 to 1000 on 1 January 2008 [19:48] so these were from before 2008 [19:49] @exch 1 USD VEF [19:49] 1 USD -> 6.318536 VEF (as of Fri, 15 May 2015 19:01:08 -0700) [19:49] @exch 1 USD VEF 2000-01-01 [19:49] RandalSchwartz, I didn't recognize 'VEF'. [19:49] oops [19:50] Yeah I think BryceBot only recognizes current currencies [19:50] or dates [19:50] or something [19:50] @exch 1 USD MXP 1990-01-01 [19:50] I'm sorry, I couldn't fetch the data: historical/1990-01-01 [19:50] ahh [20:22] @twitter -r 599413951554723840 [20:22] brycec: Successfully retweeted __briancallahan (599414076582670337): Just submitted a #vBSDcon 2015 talk proposal with @brycied00d (Sat May 16 03:19:57 +0000 2015, retweeted 2 times) [20:28] staticsafe: apparently vibe use community 30301 to mark linx traffic, and that's why i had so many prepends [20:29] so yeah they're not repeating their own asn in the path.. [20:29] the whole thing about dealing with bgp communities to get good paths is kind of annoying. [20:29] it means you end up having to special case stuff, but at least when you know that linx is "ages away" and can prepend it's not so bad. [20:31] well assume you have multiple paths [21:21] * mercutio got email from arp :) [21:21] up_the_irons: got the email regarding reboots. Much appreciated [21:22] * brycec did not, feels un-special [21:22] it'd be nice if it knew who was on what host [21:22] oh maybe it does know [21:22] or brycec has laggy email [21:22] (then again it's probably only for those to be affected0 [21:22] it says "if" you have host on one of four machines [21:22] brycec: lol on that 40gb free read-only storage [21:22] 9, 14, 15, 16 [21:22] i'm on 15 [21:22] as long as the iso is a wget'able URL [21:23] Don't think that was "my" protip but thanks mnathani_ [21:23] I actually got 2 emails [21:23] i only got one [21:23] one for my vps another for my customers vps [21:23] oh right [21:27] Hm no reboot for 18 then? [21:27] I wonder if 18 is one of those "older" hosts [21:27] maybe not yet [21:27] or maye it's been [21:27] or maybe it's older [21:27] ok :) [21:28] 18 hasn't been rebooted yet. "12:26AM up 3 days, 12:15, 0 users, load averages: 1.19, 1.06, 1.00" [21:28] i'm surprised it's happening so late [21:28] late in what respect? [21:28] 5:30 am or something isn't it [21:29] 5 to 5:30 [21:29] currently 9:30pm in ARP Daylight Time [21:29] (well 21:27) [21:29] yeah i know [21:29] Oh up_the_irons specified 5am? [21:29] yes [21:30] (Not receiving the email, I don't know what was said :p) [21:30] i mean why 5 am and not 3 am? [21:30] so i dunno if there's another window for other hosts. [21:30] Because that's when up_the_irons is up? [21:30] heh [21:30] he's up at 3 too then :) [21:30] He rebooted this vm's host around 6am [21:30] yeah [21:31] it's hard to know what a good time is really [21:32] so 6 am PST is 9 am on eastern time? [21:32] yes [21:33] is 1pm GMT I believe [21:33] That's what she said!! [21:33] and it would have been friday [21:33] BryceBot: no [21:33] Oh, okay... I'm sorry. 'is 1pm GMT I believe' [21:33] so normally i'd say that earlier is probably better [21:33] for US centric [21:34] but tbh, to my mind it's better to be quick than get the time right :) [23:29] there's no PST right now [23:30] not until november [23:30] so mercutio... wrong. :) [23:31] technically there still *IS* PST, it's just not accurate :P [23:31] No... there's no place that is observing PST at all [23:31] This feels like a "if a tree falls in a forest" joke now [23:31] whatever. [23:31] timezones are important to me. [23:31] Sure, nobody is observing it. Doesn't stop it from existing. PST = GMT-8, always. [23:32] They are to me as well, and I didn't catch mercutio's slip and I feel bad :( [23:32] sure, but it doesn't actually exist for half the year [23:33] * brycec contends that it still exists, but nobody [should] care about it until November [23:33] * brycec goes back to upgrading OpenBSD boxes [23:46] brycec: i used pst as per the email [23:48] shame on up_the_irons then [23:49] well in the end it doesn't really matter. [23:49] do you call it PT as a standard [23:49] https://www.youtube.com/watch?v=aFwcBBmgOe0 ? [23:49] YouTube video: "Bohemian Rhapsody - Queen" by Carla Pax [23:49] is it EST for east coast? [23:49] mercutio: PST/PDT [23:49]