up_the_irons: i'm learning german... (not very useful in cali, i suppose, but i like the language) mercutio: i want to learn spanish
but no-one around here speaks spanish plett: I used Duolingo to learn a bit of Spanish in the run up to a trip through Argentina last year. It wasn't too hard to get up to the level of being able to order food in a restaurant without looking like a complete idiot.
The confusing bit was flying through Brazil to get there. Are they talking Spanish to me and I am jetlagged and don't understand them, or was that Portugese? ***: tabthorpe has quit IRC (Ping timeout: 255 seconds) up_the_irons: mercutio: well, *nobody* speaks german around here, but with a little resourcefulness i found that wasn't a problem. ant and i chat in #arpnetworks-de; with skype / whatsapp / etc... i also chat daily with germans/austrians/swiss ***: qbit has quit IRC (Ping timeout: 252 seconds) mercutio: yeah chatting daily is the closest to immersion you can get without actually living somewhere german speaking ***: BryceBot has quit IRC (Ping timeout: 245 seconds)
brycec has quit IRC (Ping timeout: 255 seconds) up_the_irons: mercutio: yeah ***: tooth has quit IRC (Remote host closed the connection) mhoran: up_the_irons: one of my VMs just spontaneously rebooted. Thoughts? The one on kvr12 (or whatever the higher kvr is).
Dirty disk on reboot, so it would seem the host rebooted it mercutio: would have been venom patch up_the_irons: mhoran: we're rebooting hosts to patch venom mercutio: hmm it doesn't get acpi shutdown notification? mhoran: Kvr10 actually. Cool. It did not shut down cleanly, it seems. mercutio: kvr15 doesn't seem to have rebooted mhoran: Well as long as I didn't get hacked, hooray ***: qbit has joined #arpnetworks
qbit is now known as Guest82907
Guest82907 is now known as qbit qbit: mah vps was rebooted mercutio: qbit: venom patch qbit: ah
makes sense.. but i wish there had been a notification or something :D mercutio: there was something on twitter
but yeah no email strangely
up_the_irons: you didn't mail everyone? -: mhoran didn't get an email up_the_irons: this time around, i did not email everyone. i really wanted to focus on actually patching things asap. I put it on Twitter though (i know it's not the best way to announce, but something...) mhoran: And I don't twitter. up_the_irons: sorry mhoran: No worries just wanted to know what happened.
I was worried because we did maintenance of our own last night
And if course I woke up to see it was down. -: RandalSchwartz yawns ***: BryceBot has joined #arpnetworks
brycec has joined #arpnetworks
tooth has joined #arpnetworks -: brycec grumbles about necessary reboots that happen while he was sleeping leaving his VPS offline until he awoke and enter the luks passphrase RandalSchwartz: Oh... that would also explain one of my client's hosts downtime this morning.
luckily, I don't have my phone on anything but vibrate. :) brycec: twss BryceBot: Okay! twss! 'luckily, I don't have my phone on anything but vibrate. :)' RandalSchwartz: or I would have been notified of pagerduty pings. :)
I'm still wondering why my stonehenge.com box hasn't been rebooted. pjs: so there were reboots last night then? brycec: Yes, but not on all hosts pjs: Yea.. Just the hosts my clients are on.. YAY :) brycec: haha
my personal host but not my company's VPS (and naturally our dedicated box is unaffected yay) pjs: up_the_irons are the rest of the hosts going to need a reboot as well? (assuming so) ***: BryceBot has quit IRC (Quit: Standby for reinitialization...)
brycec has quit IRC (Quit: Cheerio, mates.) mnathani: my landlord is finally installing fiber to each apartment in my building ***: BryceBot has joined #arpnetworks
brycec has joined #arpnetworks mnathani_: I wish I could suspend my vm let up_the_irons reboot the host and resume. So many tmux windows RandalSchwartz: with CRIU, you could. :) mike-burns: Next time it might be good to inform this channel of a system reboot. Though I don't know: maybe more customers use Twitter than IRC these days. brycec: mnathani_: I feel your "pane" *rimshot*
I dumped my tmux servier-info so I have a snap of what I had arranged at least ***: KILLALLHUMANS01 has joined #arpnetworks brycec: (and my ps to be sure I restarted everything I had running by hand)
And now I'm taking the opportunity to grow my disk (been running on my original 10GB partition table forever even though I upgraded to a 40GB disk) and upgrade to Jessie. mkb: mike-burns: I wish he would e-mail. That's the way I'd expect news like that to come from him. pjs: Yea, that's how it should be delivered.
I had to find out there was issues from clients KILLALLHUMANS01: I suppose it's nice and considerate that ARP almost *never* emails... but maybe that needs to change slightly ***: BryceBot has quit IRC (Quit: Standby for reinitialization...)
brycec has quit IRC (Quit: Cheerio, mates.)
BryceBot has joined #arpnetworks
brycec has joined #arpnetworks mnathani_: I have a fresh install of arch in virtualbox
what is the precise order of things that need to install in order to have a functioning xorg server where startx launches plasma (kde)
the last couple of times I tried I failed
RandalSchwartz: whats CRIU?
@google criu brycec: (Sorry, BryceBot is offline for the moment) mnathani_: his BNC is here though
:) brycec: Yep (ZNC)
Just upgraded to ZNC 1.4 and excited to play with its new features too (notably support for networks-under-users)
(rather than one user=network as it has been in the past) BryceBot: Google API failure :( brycec: And now the wonders of running BryceBot behind a bouncer - it can catch up
(sadly it can also fail
"PHP message: cURL_error: Protocol "https" not supported or disabled in libcurl"
the fun of upgrades :D mnathani_: brycec: lol on the use of pane / pun I am just re-reading brycec: :) RandalSchwartz: Our PCI-compliance scan requires that I now disable even TLSv1.0
they made us remove SSLv2 and v3 two months ago
problem is... apache22 freebsd port compiled against the system openssl...
those are the only three protocols it knows!
oops
so now I have to recompile everything against the openssl port instead :)
criu http://twit.tv/show/floss-weekly/334 mnathani_: thanks RandalSchwart mercutio: RandalSchwartz: is that freebsd 8? RandalSchwartz: no... now 9
we moved off 8 for all the machines in his cluster
I still have to do stonehenge, but I'm more confident that it's gonna be straightforward mercutio: so even freebsd 9 doesn't support tls 1.1 ? RandalSchwartz: the core openssl is 1.0
so no.
but the port openssl is 1.0.2
so probably I should have switched to that already :) mercutio: OpenSSL 1.0.2a 19 Mar 2015
i have 1.02a it sems
i wish versions would go in bigger jumps
i wonder if reebsd will shift to libressl brycec: lol RandalSchwartz
Been there and dealt with that from the other side. We had to add a checkbox to our product to specifically enable TLS 1.0 for old/legacy browsers that don't support 1.1. (originally TLS 1.0 was enabled by default, but it triggered too many customers' PCI scans) phlux: NoScript is kind of annoying tbh mercutio: the web is kind of annoying too :)
it has become so important to not communicate so much as to present information
and so you can't just view a whole lot of information nicely, but instead you have to put uup with animations, etc.
the ad thing has got way out of hand too
i don't get why
well i don't get why on tech sites. RandalSchwartz: is there any way to pre-populate a slight-variant poudriere so I don't have to always build all the packages from scratch?
hmm. maybe I should ask that in #freebsd ***: awyeah has quit IRC (Quit: ZNC - http://znc.in)
awyeah has joined #arpnetworks up_the_irons: mnathani_: i wish i could easily suspend them as well
pjs: mkb KILLALLHUMANS01 : I'm sorry guys for not sending an email. I rebooted hosts in haste; was kinda scared. I've never had so many people open tickets about a vulnerability, asking, "When are you gonna patch yo' shit?" mercutio: some sites were advising people to ask their host about when it was being patched.
http://www.nbcnews.com/tech/security/venom-new-security-bug-scary-it-sounds-n359836
i mean people are going around saying it's worse than heartbleed
http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/
like zdnet is saying it's bigger than heartbleed brycec: lol up_the_irons sorry for adding to that pile.
(KILLALLHUMANS01 = brycec) mercutio: oh zdnet have upgraded, potentially exploitable to "can break out of virtual machine" brycec: s/".*/"literal description of what the vulnerability is" BryceBot: <mercutio> oh zdnet have upgraded, potentially exploitable to "literal description of what the vulnerability is" mercutio: can you actually break out of the virtual machien?
" That can allow a hacker to break out of their own virtual machine to access other machines -- including those owned by other people or companies." brycec: That's what it is, yeah. Allows you access to host memory (well, that which is available to the qemu process running on the host0 mercutio: i thought it was just an overrun
that doesn't necessarily mean it's exploitable brycec: It's considered exploitable until proven otherwise
because it's *potentially* exploitable mercutio: i prefer to keep it at potentially exploitable, until known exploitable.
it's hard to prove something isn't exploitable. brycec: Once you have access to memory at random, you can theoretically do whatever mercutio: how much memory do you get access ot?
to? brycec: I don't know for sure, would have to look at the source to be sure, but could be quite a bit, probably at least 64kb
The host's best defense would be ASLR at least
up_the_irons: Did you see this http://www.venomfix.com/ supposedly a way to patch without rebooting.
(It's a save/restore state deal)_ up_the_irons: brycec: np
brycec: tnx
the thing about venom is, it is good marketing. it's called VENOM. we've seen vulnerabilities a handful of times where someone could "break out" of a guest. Why is everyone freaking out over VENOM? On Ubuntu, they are still confined to the AppArmor profile, which is pretty restrictive. brycec: I'm just happy it works as a backronym and isn't a completely silly name up_the_irons: haha phlux: sounds like an 80s villian
villain brycec: probably because there have been a handful of villains named "venom" phlux: ARPNetworks: Now 100% VENOM-free! brycec: My favourite is Spiderman's Venom up_the_irons: brycec: thanks for the rebootless patch info. I would almost use it, but i think there may even be other kernel patches that _should_ probably go in with the venom fix. and since everyone else is experiencing downtime and reboots at this point (like, at other providers), seems like a good time to bounce everything. brycec: heh np - just passing it along off the venom website phlux: http://img.phluxbox.com/screenshots/sher2E.png brycec: mercutio: a cursory glance of the source looks like it could allow access to 2,147,483,647 (INT_MAX)
mercutio: you can see that fdctrl->fifo[] is addressed by an int (presumably 32-bit, could be larger, prior to the patch) https://github.com/qemu/qemu/commit/e907746266721f305d67bc0718795fedee2e824c#diff-516dcbd6a7e99f71c8340895ff28816bL2007 BryceBot: Github Commit: "fdc: force the fifo access to be in bounds of the allocated buffer by Petr Matousek" up_the_irons: phlux: LOL
well, guys, i'm not done YET
still got a lot of hosts to go... brycec: like kvr18 phlux: so I think VirtualBox > qemu as far as running X goes
also, up_the_irons: do you like Megadeth? RandalSchwartz: I know that my server hasn't been rebooted yet
I presume you're gonna eventually reboot every one up_the_irons: RandalSchwartz: i think your VM is on an old host (the bad: it's old, the good: no new VMs get provisioned there, so over time you get more of the machine to yourself ;) brycec: (the bad: You don't actually get control of the host still, or more RAM/HDD provisioned :P)
lol "pfSense® VMware® Ready Virtual Firewall Appliance" up_the_irons: RandalSchwartz: those hosts will probably not be patched at this time, instead they'll be upgraded fully to Ubuntu 14.04. Upgrades like this generally have a 1.5 hour maintenance window (downtime). brycec: up_the_irons++ -: brycec thinks VMWare-certified appliances is sorta silly for most things up_the_irons: yeah RandalSchwartz: well - other than chris0 going silent, none of neil's hosts have been reset either.
So I presume more things will happen soon
wait - prior to patching, I *can* get full control of the host! -: RandalSchwartz downloads Venom RootKit {grin} brycec: lol RandalSchwartz no you only get access to as much as the qemu process has access to, which isn't much because it's walled phlux: uh oh
rip arpnetworks
RandalSchwartz is going to take over the host and destroy the business
nice knowing you all RandalSchwartz: heh up_the_irons: phlux: LOL mercutio: randal is going to take over the hosts and replace all the linux with freebsd.
replace all the guests linux that is RandalSchwartz: "we've secretly replaced this client's linux with an actual unix distro..."
"let's see if he notices..." up_the_irons: mercutio: lol RandalSchwartz: "wait... what... where are my 45 options for ls?" up_the_irons: haha mercutio: gnu ls comes with freebsd doesn't it? RandalSchwartz: it can be installed mercutio: oh RandalSchwartz: the default ls is the *real* ls mercutio: it comes with solaris
ahh cool brycec: lolol RandalSchwartz RandalSchwartz: not the gnu monstrosity mercutio: yeah i'm pretty anti gnu RandalSchwartz: and in the latest freebsd, gcc is now no longer the default mercutio: yeah that's cool RandalSchwartz: or so I'm led to believe brycec: I wonder if you could get away with replacing bash with another bourne shell, if "anyone" would notice... mercutio: clang is on par with gcc for performance in my basic experiments RandalSchwartz: yeah mercutio: and it has nicer error messages. RandalSchwartz: clang that's it brycec: Much nicer :) mercutio: ooh and way faster compiles.
less memory uusage when compiling too RandalSchwartz: is it compatible?
can I introduce it incrementally? mercutio: brycec: ksh! brycec: I think that might be a bit too different from bash... who knows mercutio: i think it's easy to notice shell replacements cos tehy all act slightly different
i've got this long standing issue with bash ... it seems to somehow randomly lose history lines
so you upress up arrow and it's not there!
err it seems to be when i cut and paste things in usually brycec: How odd. I can see that happening with separate bash shells because they handle history files "weird" (one usually prepends its entire active history to the other). But in the same shell instance, not a clue mercutio: this is with a single
i'm always remote logged in
i never use bash locally :)
but i've had it happen on more than one different system -: brycec uses zsh in 9/10 of where he logs in brycec: (okay that's closer to 8/10 I think) mercutio: but yeah there is the multi shell history thing that makes me want to use zsh too brycec: It's really handy
up-arrow and complete for a command I just ran in a different window RandalSchwartz: I don't chsh, but I do set tmux default shell to zsh brycec: (well I ^R more) mercutio: i chsh RandalSchwartz: that way, if zsh ever breaks, I can still ssh and fix things mercutio: even on openbsd root shell RandalSchwartz: wow... trusting brycec: :O mercutio: and then i find that all packages stop working with update :) brycec: Yeah no kidding.
root's shell is *always* something from base (as in, always ksh) mercutio: that bit me with the reinstall all packages openbsd thing -: brycec points, laughs RandalSchwartz: yeah mercutio: it wasn't too bad to fix staticsafe: http://paste.ee/p/KPlaq#385gqSTRyEF59W1HJlGFS16tTxnR627h interesting route selection there (VIBE Communications lg) mercutio: god that's long
what's interesting about it? brycec: god that's long
twss BryceBot: Okay! twss! 'god that's long' staticsafe: mercutio: its picking the route via Portlane instead of the ARP Networks one mercutio: 45177 45177 45177 45177 42708 6.733 i
that's what i see through vibe
becuase i have upstream with vibe
but it's picking 17746 4610 4826 25795 6.733 i
vibe are on any2ix though -: staticsafe nods mercutio: and the slightly shorter route is hitting any2ix staticsafe: i see the community tags for any2ix mercutio: i thought it was taking a different path before
i mean the any2ix path
202.49.71.24 is an ip that should come back via any2ix/vibe
static: what made you check vibe for lg? staticsafe: i've been checking LGs all over the place to see how routes are mercutio: ahh
oh vibe is screwy
they're on linx staticsafe: been troubleshooting a v6 routing issue with Portlane atm, it dies inside their network for some reason mercutio: and they don't seem to add hops for it
but it looks like they're peering directly with portlane, or linx doesn't add their asn in
they're also peering directly with arp though.. RandalSchwartz: is portlane... portland++ :) staticsafe: BGP Peers Observed (v4): 1,080 - portlane peers with a lot of folks mercutio: portlane is some sweden provider i think brycec: (lol RandalSchwartz ) staticsafe: RandalSchwartz: heh, wrong side of the world
yeah its a Swedish company brycec: Same as C++ != D RandalSchwartz: perl -le '$x = "portland"; $x++; print $x' mercutio: heh brycec: @py "portland" + 1 BryceBot: TypeError: cannot concatenate 'str' and 'int' objects brycec: bah RandalSchwartz: python is so weak brycec: BryceBot: WHO CARES ABOUT PROPER LANGUAGE GRAMMAR RandalSchwartz: or sigils... think of the sigils!
... http://en.wikipedia.org/wiki/Sigil_(computer_programming) BryceBot: Sigil (computer programming) :: In computer programming, a sigil (/ˈsɪdʒəl/ or /ˈsɪɡəl/; plural sigilia or sigils) is a symbol attached to a variable name, showing the variable's datatype or scope, usually a prefix, as in $foo, where $ is the sigil. Sigil, from the Latin sigillum, meaning a "little sign", means a sign or image supposedly having magical power. In 1999 Philip Gwyn adopted the term "to mean the funny character at the front staticsafe: mercutio: Portlane's promoscuous peering seems to result in some interesting routes RandalSchwartz: portlane's promiscuious peering... PPP! staticsafe: hah
BryceBot: time in Sweden
aw brycec: @wa time in sweden BryceBot: current time in Sweden;4:36:43 am CEST -> Saturday, May 16, 2015;Stockholm, Sweden, , 4:36:43 am CEST, Saturday, May 16;2:36:43 am GMT -> Saturday May 16, 2015 staticsafe: ahh brycec: protip: You can't just invent syntax.
@protip BryceBot: Protip #4: Packup a 40GB ISO of data, then have up_the_irons attach that to your VPS. Voila, free read-only storage! brycec: lololol RandalSchwartz: @wa where am i BryceBot: current geoIP location;IPv4 address->107.178.195.232, IPv6->::ffff:6bb2:c3e8, (as seen by Wolfram|Alpha) RandalSchwartz: what address is that? :) brycec: Google
The WA API endpoint logic runs on a Google Cloud thinger RandalSchwartz: @wa next solar eclipse visible from north america BryceBot: Error fetching URI. RandalSchwartz: oops :) brycec: (That's the exact error back from said WA API thinger) RandalSchwartz: @wa 300 USD to MXN BryceBot: Error fetching URI. RandalSchwartz: oops brycec: (If I were in control, it would be a much more useful API) RandalSchwartz: rate-limit? brycec: @exch 300 USD MXN BryceBot: 300 USD -> 4506.933 MXN (as of Fri, 15 May 2015 19:01:08 -0700) brycec: ^ different API at least RandalSchwartz: oooh. that was 4666 two weeks ago
highest I've ever seen it brycec: @exch 300 USD MXN 2015-05-01 BryceBot: 300 USD -> 4651.335 MXN (as of Fri, 01 May 2015 16:00:00 -0700) RandalSchwartz: I should have gone long -: mkb wonders when he's going to get rebooted phlux: I wonder what $1 in Prussian Franks is now RandalSchwartz: I have some venezuelan money from before the re-evaluation
something like a 20,000 note
which was about $10 or so
... The government announced on 7 March 2007 that the bolívar would be revalued at a ratio of 1 to 1000 on 1 January 2008
so these were from before 2008
@exch 1 USD VEF BryceBot: 1 USD -> 6.318536 VEF (as of Fri, 15 May 2015 19:01:08 -0700) RandalSchwartz: @exch 1 USD VEF 2000-01-01 BryceBot: RandalSchwartz, I didn't recognize 'VEF'. RandalSchwartz: oops brycec: Yeah I think BryceBot only recognizes current currencies
or dates
or something RandalSchwartz: @exch 1 USD MXP 1990-01-01 BryceBot: I'm sorry, I couldn't fetch the data: historical/1990-01-01 RandalSchwartz: ahh brycec: @twitter -r 599413951554723840 BryceBot: brycec: Successfully retweeted __briancallahan (599414076582670337): Just submitted a #vBSDcon 2015 talk proposal with @brycied00d (Sat May 16 03:19:57 +0000 2015, retweeted 2 times) mercutio: staticsafe: apparently vibe use community 30301 to mark linx traffic, and that's why i had so many prepends
so yeah they're not repeating their own asn in the path..
the whole thing about dealing with bgp communities to get good paths is kind of annoying.
it means you end up having to special case stuff, but at least when you know that linx is "ages away" and can prepend it's not so bad.
well assume you have multiple paths -: mercutio got email from arp :) mnathani_: up_the_irons: got the email regarding reboots. Much appreciated -: brycec did not, feels un-special mercutio: it'd be nice if it knew who was on what host
oh maybe it does know
or brycec has laggy email brycec: (then again it's probably only for those to be affected0 mercutio: it says "if" you have host on one of four machines mnathani_: brycec: lol on that 40gb free read-only storage mercutio: 9, 14, 15, 16
i'm on 15 mnathani_: as long as the iso is a wget'able URL brycec: Don't think that was "my" protip but thanks mnathani_ mnathani_: I actually got 2 emails mercutio: i only got one mnathani_: one for my vps another for my customers vps mercutio: oh right brycec: Hm no reboot for 18 then?
I wonder if 18 is one of those "older" hosts mercutio: maybe not yet
or maye it's been
or maybe it's older
ok :) brycec: 18 hasn't been rebooted yet. "12:26AM up 3 days, 12:15, 0 users, load averages: 1.19, 1.06, 1.00" mercutio: i'm surprised it's happening so late brycec: late in what respect? mercutio: 5:30 am or something isn't it
5 to 5:30 brycec: currently 9:30pm in ARP Daylight Time
(well 21:27) mercutio: yeah i know brycec: Oh up_the_irons specified 5am? mercutio: yes brycec: (Not receiving the email, I don't know what was said :p) mercutio: i mean why 5 am and not 3 am?
so i dunno if there's another window for other hosts. brycec: Because that's when up_the_irons is up? mercutio: heh
he's up at 3 too then :) brycec: He rebooted this vm's host around 6am mercutio: yeah
it's hard to know what a good time is really
so 6 am PST is 9 am on eastern time? brycec: yes
is 1pm GMT I believe BryceBot: That's what she said!! mercutio: and it would have been friday brycec: BryceBot: no BryceBot: Oh, okay... I'm sorry. 'is 1pm GMT I believe' mercutio: so normally i'd say that earlier is probably better
for US centric
but tbh, to my mind it's better to be quick than get the time right :) RandalSchwartz: there's no PST right now
not until november
so mercutio... wrong. :) brycec: technically there still *IS* PST, it's just not accurate :P RandalSchwartz: No... there's no place that is observing PST at all brycec: This feels like a "if a tree falls in a forest" joke now RandalSchwartz: whatever.
timezones are important to me. brycec: Sure, nobody is observing it. Doesn't stop it from existing. PST = GMT-8, always.
They are to me as well, and I didn't catch mercutio's slip and I feel bad :( RandalSchwartz: sure, but it doesn't actually exist for half the year -: brycec contends that it still exists, but nobody [should] care about it until November
brycec goes back to upgrading OpenBSD boxes mercutio: brycec: i used pst as per the email brycec: shame on up_the_irons then mercutio: well in the end it doesn't really matter.
do you call it PT as a standard brycec: https://www.youtube.com/watch?v=aFwcBBmgOe0 ? BryceBot: YouTube video: "Bohemian Rhapsody - Queen" by Carla Pax mercutio: is it EST for east coast? brycec: mercutio: PST/PDT
EST/EDT mercutio: i suppose if you used PST and EST, it wouldn't be ambiguous brycec: MST/MDT
CST/CDT mercutio: M is mainland? brycec: Mountain mercutio: Ahh brycec: Central
Pacific, Eastern
(there are a couple others too for Hawaii and Alaska) mercutio: daylight saving is just confusing.
although i do find it amusing that uptheirons seems to go to bed around the same time as me.
even though he's 5 hours ahead (minus a day) brycec: (so 19?) mercutio: yeah brycec: (just checking) mercutio: i just find +5 hours minus a day easier to grok brycec: Ditto mercutio: i'm +13 GMT
err +12 GMT
damn i forget when i'm in daylight saving or not brycec: okay that makes sense mercutio: i am ST
but daylight saving for me is +13 brycec: mercutio: And when does dst start for you? mercutio: it just ended like a month ago?
it's a few weeks different than the US brycec: so sortof-reverse of the Northern hemisphere mercutio: that's a very vague month btw brycec: (since US just started in March) mercutio: yeah
it's aroound easter iirc
5th april to 27th september
is st brycec: Somehow it feels much later than just 00.00 here :/
Always annoying when the internal clock is fast