Hi,
If you do not use BitFolk's Entropy service and have no interest in
doing so then this email will be of little interest to you can be
safely ignored.
If you haven't heard about the Entropy service before, please see:
https://tools.bitfolk.com/wiki/Entropy
If you *do* use the Entropy service though, I'm interested to know
what software you have that actually uses /dev/random (and not
/dev/urandom).
Some background to this question:
To provide the Entropy service we use hardware entropy generators,
currently exclusively a pair of EntropyKeys manufactured by a UK
company called Simtec Electronics Ltd.
Despite the fact that these were extremely popular little devices
(compared to other fairly niche little gadgets), Simtec always had a
supply problem and then Simtec imploded as a company, so as far as I
know these are now impossible to obtain, the IP is lost forever etc.
Although I have one spare EntropyKey ready to put in service should
one of the two in service ever die (I've not experienced that yet),
that left me slightly worried as to what I'd do if I needed to get
more.
Then I saw the OneRNG kickstarter, and decided to pledge. So now I
have 5 of (the internal USB version of) these:
http://onerng.info/
I've not yet gone any further than verifying that they keep the
entropy pool full on the machine they're plugged into, but that's
good enough for now. Could be a decade before one of my existing
EntropyKeys dies.
I have since heard that this device proved far more popular than its
manufacturer expected (sense a theme?) and they're now extremely
difficult to get hold of because they need to get a new batch made
in China. I've had multiple people contacting me on the basis of a
tweet I did about getting these, asking me to sell them mine (which
I would, but they didn't want internal USB).
The point I'm trying to make here is that the world of hardware
random number generators is not one with reliable supply lines,
unless you want to spend a fortune on some black box.
So when I came across:
http://www.2uo.de/myths-about-urandom/
I was sad that the nerdery that is the Entropy service may be
misguided, but also happy with the possibility that I might never
have to source a hardware RNG again.
Let's just take the argument posited by the article, that all
(Linux) software should just learn to love /dev/urandom¹, as true.
If you don't agree with this claim, you are disagreeing with some
pretty big names in crypto. The Hacker News commentary on the
article may also prove of interest:
https://news.ycombinator.com/item?id=10149019
At the very least, I feel the Entropy article on the BitFolk Wiki
needs an update in light of this. To justify the service's
existence, if nothing else.
Going further, the question becomes, well, what software is there in
existence that forces use of /dev/random with no configuration that
would allow otherwise? Because even if we agree that all software
*should* be using urandom, if some popular software *refuses* to
without recompile, then we're still going to have to provide an
Entropy service, because doing so is easier than running
non-packaged software.
So Entropy service users, what have you got that uses /dev/random?
Cheers,
Andy
¹ A more correct summary of it is probably, "urandom is fine all the
time except for on initial boot when a small amount of entropy
from outside the CSPRNG is desirable."
On shutdown all fairly modern Linuxes save the current entropy
pool to the filesystem and load it up from there on boot, so it's
only essential on first boot.
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
Rather disappointingly there's been another round of security
advisories for Xen, some of which affect the configuration in use at
BitFolk:
http://xenbits.xen.org/xsa/
So unfortunately that means another round of "patch and reboot
everything" for us.
We will send out direct emails informing you of a two hour window in
which the work affecting your VPS is going to take place, but that
won't be sent for a week or so as testing of the patches will be
necessary first.
I am going to try to get a checkbox added to the panel website so
that those of you who are brave enough to try it can indicate that
you'd prefer for your VPS to be suspended and restored rather than
shutdown and booted.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hello BitFolk People
This http://www.hailpixel.com/articles/how-to-protect-your-online-communications excellent article about the implications of the IP Bill suggests using a VPN to help to keep the snoopers at bay.
Here's a question: is BitFolk an 'ISP' for the purposes of the bill? -- does it collect metadata about traffic in and out of my VPS?
If not, would it make sense to use my BitFolk VPS as a VPN, so that it proxies my home internet connection? I've been toying with the idea of using software such as OpenVPN for this, and the bill (very nearly an Act now) gives me another reason for getting on with it.
The alternative would be to use a paid-for VPN provider such as the ones recommended in that article.
Cheers,
Chris
Hi,
Unfortunately a batch of security advisories for Xen were posted
today, some of which affect the configuration in use at BitFolk:
http://xenbits.xen.org/xsa/
The details are under embargo until 22 November, so a reboot of all
hosts will need to take place before then. You should expect this
work to be carried out over a few days prior to the 22nd.
We will send out direct emails informing you of a two hour window in
which the work affecting your VPS is going to take place, but that
won't be sent for a week or so as testing of the patches will be
necessary first.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
On Mon, November 21, 2016 12:20, Mike Zanker wrote:
> On 21 Nov 2016, at 11:49, Chris Dennis <cgdennis(a)btinternet.com> wrote:
>
>> Here's a question: is BitFolk an 'ISP' for the purposes of the bill? --
>> does it collect metadata about traffic in and out of my VPS?
>>
>> If not, would it make sense to use my BitFolk VPS as a VPN, so that it
>> proxies my home internet connection? I've been toying with the idea of
>> using software such as OpenVPN for this, and the bill (very nearly an
>> Act now) gives me another reason for getting on with it.
<snip>
> I must admit that I've been thinking along the same lines, although my
> ISP (Andrews & Arnold) is vehemently opposed to the bill and is making
> their own plans. I think the IP Bill allows for DPI of the backhauls,
> though, so the monitoring and logging could be done before your packets
> even get to your ISP, hence the need for VPN.
I'd been thinking of setting up a VPN to my Bitfolk box for a while (but
had trouble getting it set up then configured my home router to provide
one instead).
Originally my reason was in order to bypass restrictions on our Eduroam
network (for instance I really wanted to SSH to a non-standard port on my
server rather than having to open port 22 to the whole IP range used by
our University), but now I'm unhappy about letting the state decide what
is or is not suitable for me to view (and the slippery slope that
represents), so the answer to this would be interesting for me too.
> I'm not sure what the throughput would be on our VPS, though - it's
> pretty CPU-intensive. Would it be likely to cause issues to the hosting
> servers?
I hadn't considered that. Is a single user VPN more CPU intensive than
I'd imagine?
Gavin
Hi,
I had a query about full disk encryption and given the way things
are going in the world, perhaps it is more likely that people would
want storage that BitFolk can't read¹.
So, although support for FDE is pretty good in installers these
days, I wrote up some notes about using it at BitFolk which you may
find useful:
https://tools.bitfolk.com/wiki/Full_disk_encryption
Cheers,
Andy
¹ Note though that it is easy to dump an image of a running VM's
memory. That would probably allow someone to extract the LUKS keys
and use them against a snapshot of the storage to unlock it. So
not proof against a skilled, determined attacker with root access
to BitFolk's infrastructure. You will have to trust that it is
beyond me, though.
--
https://bitfolk.com/ -- No-nonsense VPS hosting
