brycec: i live in california and don't know spanish i'm learning german... (not very useful in cali, i suppose, but i like the language) i want to learn spanish but no-one around here speaks spanish I used Duolingo to learn a bit of Spanish in the run up to a trip through Argentina last year. It wasn't too hard to get up to the level of being able to order food in a restaurant without looking like a complete idiot. The confusing bit was flying through Brazil to get there. Are they talking Spanish to me and I am jetlagged and don't understand them, or was that Portugese? mercutio: well, *nobody* speaks german around here, but with a little resourcefulness i found that wasn't a problem. ant and i chat in #arpnetworks-de; with skype / whatsapp / etc... i also chat daily with germans/austrians/swiss yeah chatting daily is the closest to immersion you can get without actually living somewhere german speaking mercutio: yeah up_the_irons: one of my VMs just spontaneously rebooted. Thoughts? The one on kvr12 (or whatever the higher kvr is). Dirty disk on reboot, so it would seem the host rebooted it would have been venom patch mhoran: we're rebooting hosts to patch venom hmm it doesn't get acpi shutdown notification? Kvr10 actually. Cool. It did not shut down cleanly, it seems. kvr15 doesn't seem to have rebooted Well as long as I didn't get hacked, hooray mah vps was rebooted qbit: venom patch ah makes sense.. but i wish there had been a notification or something :D there was something on twitter but yeah no email strangely up_the_irons: you didn't mail everyone? this time around, i did not email everyone. i really wanted to focus on actually patching things asap. I put it on Twitter though (i know it's not the best way to announce, but something...) And I don't twitter. sorry No worries just wanted to know what happened. I was worried because we did maintenance of our own last night And if course I woke up to see it was down. Oh... that would also explain one of my client's hosts downtime this morning. luckily, I don't have my phone on anything but vibrate. :) twss Okay! twss! 'luckily, I don't have my phone on anything but vibrate. :)' or I would have been notified of pagerduty pings. :) I'm still wondering why my stonehenge.com box hasn't been rebooted. so there were reboots last night then? Yes, but not on all hosts Yea.. Just the hosts my clients are on.. YAY :) haha my personal host but not my company's VPS (and naturally our dedicated box is unaffected yay) up_the_irons are the rest of the hosts going to need a reboot as well? (assuming so) my landlord is finally installing fiber to each apartment in my building I wish I could suspend my vm let up_the_irons reboot the host and resume. So many tmux windows with CRIU, you could. :) Next time it might be good to inform this channel of a system reboot. Though I don't know: maybe more customers use Twitter than IRC these days. mnathani_: I feel your "pane" *rimshot* I dumped my tmux servier-info so I have a snap of what I had arranged at least (and my ps to be sure I restarted everything I had running by hand) And now I'm taking the opportunity to grow my disk (been running on my original 10GB partition table forever even though I upgraded to a 40GB disk) and upgrade to Jessie. mike-burns: I wish he would e-mail. That's the way I'd expect news like that to come from him. Yea, that's how it should be delivered. I had to find out there was issues from clients I suppose it's nice and considerate that ARP almost *never* emails... but maybe that needs to change slightly I have a fresh install of arch in virtualbox what is the precise order of things that need to install in order to have a functioning xorg server where startx launches plasma (kde) the last couple of times I tried I failed RandalSchwartz: whats CRIU? @google criu (Sorry, BryceBot is offline for the moment) his BNC is here though :) Yep (ZNC) Just upgraded to ZNC 1.4 and excited to play with its new features too (notably support for networks-under-users) (rather than one user=network as it has been in the past) Google API failure :( And now the wonders of running BryceBot behind a bouncer - it can catch up (sadly it can also fail "PHP message: cURL_error: Protocol "https" not supported or disabled in libcurl" the fun of upgrades :D brycec: lol on the use of pane / pun I am just re-reading :) Our PCI-compliance scan requires that I now disable even TLSv1.0 they made us remove SSLv2 and v3 two months ago problem is... apache22 freebsd port compiled against the system openssl... those are the only three protocols it knows! oops so now I have to recompile everything against the openssl port instead :) criu http://twit.tv/show/floss-weekly/334 thanks RandalSchwart RandalSchwartz: is that freebsd 8? no... now 9 we moved off 8 for all the machines in his cluster I still have to do stonehenge, but I'm more confident that it's gonna be straightforward so even freebsd 9 doesn't support tls 1.1 ? the core openssl is 1.0 so no. but the port openssl is 1.0.2 so probably I should have switched to that already :) OpenSSL 1.0.2a 19 Mar 2015 i have 1.02a it sems i wish versions would go in bigger jumps i wonder if reebsd will shift to libressl lol RandalSchwartz Been there and dealt with that from the other side. We had to add a checkbox to our product to specifically enable TLS 1.0 for old/legacy browsers that don't support 1.1. (originally TLS 1.0 was enabled by default, but it triggered too many customers' PCI scans) NoScript is kind of annoying tbh the web is kind of annoying too :) it has become so important to not communicate so much as to present information and so you can't just view a whole lot of information nicely, but instead you have to put uup with animations, etc. the ad thing has got way out of hand too i don't get why well i don't get why on tech sites. is there any way to pre-populate a slight-variant poudriere so I don't have to always build all the packages from scratch? hmm. maybe I should ask that in #freebsd mnathani_: i wish i could easily suspend them as well pjs: mkb KILLALLHUMANS01 : I'm sorry guys for not sending an email. I rebooted hosts in haste; was kinda scared. I've never had so many people open tickets about a vulnerability, asking, "When are you gonna patch yo' shit?" some sites were advising people to ask their host about when it was being patched. http://www.nbcnews.com/tech/security/venom-new-security-bug-scary-it-sounds-n359836 i mean people are going around saying it's worse than heartbleed http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/ like zdnet is saying it's bigger than heartbleed lol up_the_irons sorry for adding to that pile. (KILLALLHUMANS01 = brycec) oh zdnet have upgraded, potentially exploitable to "can break out of virtual machine" s/".*/"literal description of what the vulnerability is" oh zdnet have upgraded, potentially exploitable to "literal description of what the vulnerability is" can you actually break out of the virtual machien? " That can allow a hacker to break out of their own virtual machine to access other machines -- including those owned by other people or companies." That's what it is, yeah. Allows you access to host memory (well, that which is available to the qemu process running on the host0 i thought it was just an overrun that doesn't necessarily mean it's exploitable It's considered exploitable until proven otherwise because it's *potentially* exploitable i prefer to keep it at potentially exploitable, until known exploitable. it's hard to prove something isn't exploitable. Once you have access to memory at random, you can theoretically do whatever how much memory do you get access ot? to? I don't know for sure, would have to look at the source to be sure, but could be quite a bit, probably at least 64kb The host's best defense would be ASLR at least up_the_irons: Did you see this http://www.venomfix.com/ supposedly a way to patch without rebooting. (It's a save/restore state deal)_ brycec: np brycec: tnx the thing about venom is, it is good marketing. it's called VENOM. we've seen vulnerabilities a handful of times where someone could "break out" of a guest. Why is everyone freaking out over VENOM? On Ubuntu, they are still confined to the AppArmor profile, which is pretty restrictive. I'm just happy it works as a backronym and isn't a completely silly name haha sounds like an 80s villian villain probably because there have been a handful of villains named "venom" ARPNetworks: Now 100% VENOM-free! My favourite is Spiderman's Venom brycec: thanks for the rebootless patch info. I would almost use it, but i think there may even be other kernel patches that _should_ probably go in with the venom fix. and since everyone else is experiencing downtime and reboots at this point (like, at other providers), seems like a good time to bounce everything. heh np - just passing it along off the venom website http://img.phluxbox.com/screenshots/sher2E.png mercutio: a cursory glance of the source looks like it could allow access to 2,147,483,647 (INT_MAX) mercutio: you can see that fdctrl->fifo[] is addressed by an int (presumably 32-bit, could be larger, prior to the patch) https://github.com/qemu/qemu/commit/e907746266721f305d67bc0718795fedee2e824c#diff-516dcbd6a7e99f71c8340895ff28816bL2007 Github Commit: "fdc: force the fifo access to be in bounds of the allocated buffer by Petr Matousek" phlux: LOL well, guys, i'm not done YET still got a lot of hosts to go... like kvr18 so I think VirtualBox > qemu as far as running X goes also, up_the_irons: do you like Megadeth? I know that my server hasn't been rebooted yet I presume you're gonna eventually reboot every one RandalSchwartz: i think your VM is on an old host (the bad: it's old, the good: no new VMs get provisioned there, so over time you get more of the machine to yourself ;) (the bad: You don't actually get control of the host still, or more RAM/HDD provisioned :P) lol "pfSense® VMware® Ready Virtual Firewall Appliance" RandalSchwartz: those hosts will probably not be patched at this time, instead they'll be upgraded fully to Ubuntu 14.04. Upgrades like this generally have a 1.5 hour maintenance window (downtime). up_the_irons++ yeah well - other than chris0 going silent, none of neil's hosts have been reset either. So I presume more things will happen soon wait - prior to patching, I *can* get full control of the host! lol RandalSchwartz no you only get access to as much as the qemu process has access to, which isn't much because it's walled uh oh rip arpnetworks RandalSchwartz is going to take over the host and destroy the business nice knowing you all heh phlux: LOL randal is going to take over the hosts and replace all the linux with freebsd. replace all the guests linux that is "we've secretly replaced this client's linux with an actual unix distro..." "let's see if he notices..." mercutio: lol "wait... what... where are my 45 options for ls?" haha gnu ls comes with freebsd doesn't it? it can be installed oh the default ls is the *real* ls it comes with solaris ahh cool lolol RandalSchwartz not the gnu monstrosity yeah i'm pretty anti gnu and in the latest freebsd, gcc is now no longer the default yeah that's cool or so I'm led to believe I wonder if you could get away with replacing bash with another bourne shell, if "anyone" would notice... clang is on par with gcc for performance in my basic experiments yeah and it has nicer error messages. clang that's it Much nicer :) ooh and way faster compiles. less memory uusage when compiling too is it compatible? can I introduce it incrementally? brycec: ksh! I think that might be a bit too different from bash... who knows i think it's easy to notice shell replacements cos tehy all act slightly different i've got this long standing issue with bash ... it seems to somehow randomly lose history lines so you upress up arrow and it's not there! err it seems to be when i cut and paste things in usually How odd. I can see that happening with separate bash shells because they handle history files "weird" (one usually prepends its entire active history to the other). But in the same shell instance, not a clue this is with a single i'm always remote logged in i never use bash locally :) but i've had it happen on more than one different system (okay that's closer to 8/10 I think) but yeah there is the multi shell history thing that makes me want to use zsh too It's really handy up-arrow and complete for a command I just ran in a different window I don't chsh, but I do set tmux default shell to zsh (well I ^R more) i chsh that way, if zsh ever breaks, I can still ssh and fix things even on openbsd root shell wow... trusting :O and then i find that all packages stop working with update :) Yeah no kidding. root's shell is *always* something from base (as in, always ksh) that bit me with the reinstall all packages openbsd thing yeah it wasn't too bad to fix http://paste.ee/p/KPlaq#385gqSTRyEF59W1HJlGFS16tTxnR627h interesting route selection there (VIBE Communications lg) god that's long what's interesting about it? god that's long twss Okay! twss! 'god that's long' mercutio: its picking the route via Portlane instead of the ARP Networks one 45177 45177 45177 45177 42708 6.733 i that's what i see through vibe becuase i have upstream with vibe but it's picking 17746 4610 4826 25795 6.733 i vibe are on any2ix though and the slightly shorter route is hitting any2ix i see the community tags for any2ix i thought it was taking a different path before i mean the any2ix path 202.49.71.24 is an ip that should come back via any2ix/vibe static: what made you check vibe for lg? i've been checking LGs all over the place to see how routes are ahh oh vibe is screwy they're on linx been troubleshooting a v6 routing issue with Portlane atm, it dies inside their network for some reason and they don't seem to add hops for it but it looks like they're peering directly with portlane, or linx doesn't add their asn in they're also peering directly with arp though.. is portlane... portland++ :) BGP Peers Observed (v4): 1,080 - portlane peers with a lot of folks portlane is some sweden provider i think (lol RandalSchwartz ) RandalSchwartz: heh, wrong side of the world yeah its a Swedish company Same as C++ != D perl -le '$x = "portland"; $x++; print $x' heh @py "portland" + 1 TypeError: cannot concatenate 'str' and 'int' objects bah python is so weak BryceBot: WHO CARES ABOUT PROPER LANGUAGE GRAMMAR or sigils... think of the sigils! ... http://en.wikipedia.org/wiki/Sigil_(computer_programming) Sigil (computer programming) :: In computer programming, a sigil (/ˈsɪdʒəl/ or /ˈsɪɡəl/; plural sigilia or sigils) is a symbol attached to a variable name, showing the variable's datatype or scope, usually a prefix, as in $foo, where $ is the sigil. Sigil, from the Latin sigillum, meaning a "little sign", means a sign or image supposedly having magical power. In 1999 Philip Gwyn adopted the term "to mean the funny character at the front mercutio: Portlane's promoscuous peering seems to result in some interesting routes portlane's promiscuious peering... PPP! hah BryceBot: time in Sweden aw @wa time in sweden current time in Sweden;4:36:43 am CEST -> Saturday, May 16, 2015;Stockholm, Sweden, , 4:36:43 am CEST, Saturday, May 16;2:36:43 am GMT -> Saturday May 16, 2015 ahh protip: You can't just invent syntax. @protip Protip #4: Packup a 40GB ISO of data, then have up_the_irons attach that to your VPS. Voila, free read-only storage! lololol @wa where am i current geoIP location;IPv4 address->107.178.195.232, IPv6->::ffff:6bb2:c3e8, (as seen by Wolfram|Alpha) what address is that? :) Google The WA API endpoint logic runs on a Google Cloud thinger @wa next solar eclipse visible from north america Error fetching URI. oops :) (That's the exact error back from said WA API thinger) @wa 300 USD to MXN Error fetching URI. oops (If I were in control, it would be a much more useful API) rate-limit? @exch 300 USD MXN 300 USD -> 4506.933 MXN (as of Fri, 15 May 2015 19:01:08 -0700) ^ different API at least oooh. that was 4666 two weeks ago highest I've ever seen it @exch 300 USD MXN 2015-05-01 300 USD -> 4651.335 MXN (as of Fri, 01 May 2015 16:00:00 -0700) I should have gone long I wonder what $1 in Prussian Franks is now I have some venezuelan money from before the re-evaluation something like a 20,000 note which was about $10 or so ... The government announced on 7 March 2007 that the bolívar would be revalued at a ratio of 1 to 1000 on 1 January 2008 so these were from before 2008 @exch 1 USD VEF 1 USD -> 6.318536 VEF (as of Fri, 15 May 2015 19:01:08 -0700) @exch 1 USD VEF 2000-01-01 RandalSchwartz, I didn't recognize 'VEF'. oops Yeah I think BryceBot only recognizes current currencies or dates or something @exch 1 USD MXP 1990-01-01 I'm sorry, I couldn't fetch the data: historical/1990-01-01 ahh @twitter -r 599413951554723840 brycec: Successfully retweeted __briancallahan (599414076582670337): Just submitted a #vBSDcon 2015 talk proposal with @brycied00d (Sat May 16 03:19:57 +0000 2015, retweeted 2 times) staticsafe: apparently vibe use community 30301 to mark linx traffic, and that's why i had so many prepends so yeah they're not repeating their own asn in the path.. the whole thing about dealing with bgp communities to get good paths is kind of annoying. it means you end up having to special case stuff, but at least when you know that linx is "ages away" and can prepend it's not so bad. well assume you have multiple paths up_the_irons: got the email regarding reboots. Much appreciated it'd be nice if it knew who was on what host oh maybe it does know or brycec has laggy email (then again it's probably only for those to be affected0 it says "if" you have host on one of four machines brycec: lol on that 40gb free read-only storage 9, 14, 15, 16 i'm on 15 as long as the iso is a wget'able URL Don't think that was "my" protip but thanks mnathani_ I actually got 2 emails i only got one one for my vps another for my customers vps oh right Hm no reboot for 18 then? I wonder if 18 is one of those "older" hosts maybe not yet or maye it's been or maybe it's older ok :) 18 hasn't been rebooted yet. "12:26AM up 3 days, 12:15, 0 users, load averages: 1.19, 1.06, 1.00" i'm surprised it's happening so late late in what respect? 5:30 am or something isn't it 5 to 5:30 currently 9:30pm in ARP Daylight Time (well 21:27) yeah i know Oh up_the_irons specified 5am? yes (Not receiving the email, I don't know what was said :p) i mean why 5 am and not 3 am? so i dunno if there's another window for other hosts. Because that's when up_the_irons is up? heh he's up at 3 too then :) He rebooted this vm's host around 6am yeah it's hard to know what a good time is really so 6 am PST is 9 am on eastern time? yes is 1pm GMT I believe That's what she said!! and it would have been friday BryceBot: no Oh, okay... I'm sorry. 'is 1pm GMT I believe' so normally i'd say that earlier is probably better for US centric but tbh, to my mind it's better to be quick than get the time right :) there's no PST right now not until november so mercutio... wrong. :) technically there still *IS* PST, it's just not accurate :P No... there's no place that is observing PST at all This feels like a "if a tree falls in a forest" joke now whatever. timezones are important to me. Sure, nobody is observing it. Doesn't stop it from existing. PST = GMT-8, always. They are to me as well, and I didn't catch mercutio's slip and I feel bad :( sure, but it doesn't actually exist for half the year brycec: i used pst as per the email shame on up_the_irons then well in the end it doesn't really matter. do you call it PT as a standard https://www.youtube.com/watch?v=aFwcBBmgOe0 ? YouTube video: "Bohemian Rhapsody - Queen" by Carla Pax is it EST for east coast? mercutio: PST/PDT EST/EDT i suppose if you used PST and EST, it wouldn't be ambiguous MST/MDT CST/CDT M is mainland? Mountain Ahh Central Pacific, Eastern (there are a couple others too for Hawaii and Alaska) daylight saving is just confusing. although i do find it amusing that uptheirons seems to go to bed around the same time as me. even though he's 5 hours ahead (minus a day) (so 19?) yeah (just checking) i just find +5 hours minus a day easier to grok Ditto i'm +13 GMT err +12 GMT damn i forget when i'm in daylight saving or not okay that makes sense i am ST but daylight saving for me is +13 mercutio: And when does dst start for you? it just ended like a month ago? it's a few weeks different than the US so sortof-reverse of the Northern hemisphere that's a very vague month btw (since US just started in March) yeah it's aroound easter iirc 5th april to 27th september is st Somehow it feels much later than just 00.00 here :/ Always annoying when the internal clock is fast