Hi,
If you do not use BitFolk's Entropy service and have no interest in
doing so then this email will be of little interest to you can be
safely ignored.
If you haven't heard about the Entropy service before, please see:
https://tools.bitfolk.com/wiki/Entropy
If you *do* use the Entropy service though, I'm interested to know
what software you have that actually uses /dev/random (and not
/dev/urandom).
Some background to this question:
To provide the Entropy service we use hardware entropy generators,
currently exclusively a pair of EntropyKeys manufactured by a UK
company called Simtec Electronics Ltd.
Despite the fact that these were extremely popular little devices
(compared to other fairly niche little gadgets), Simtec always had a
supply problem and then Simtec imploded as a company, so as far as I
know these are now impossible to obtain, the IP is lost forever etc.
Although I have one spare EntropyKey ready to put in service should
one of the two in service ever die (I've not experienced that yet),
that left me slightly worried as to what I'd do if I needed to get
more.
Then I saw the OneRNG kickstarter, and decided to pledge. So now I
have 5 of (the internal USB version of) these:
http://onerng.info/
I've not yet gone any further than verifying that they keep the
entropy pool full on the machine they're plugged into, but that's
good enough for now. Could be a decade before one of my existing
EntropyKeys dies.
I have since heard that this device proved far more popular than its
manufacturer expected (sense a theme?) and they're now extremely
difficult to get hold of because they need to get a new batch made
in China. I've had multiple people contacting me on the basis of a
tweet I did about getting these, asking me to sell them mine (which
I would, but they didn't want internal USB).
The point I'm trying to make here is that the world of hardware
random number generators is not one with reliable supply lines,
unless you want to spend a fortune on some black box.
So when I came across:
http://www.2uo.de/myths-about-urandom/
I was sad that the nerdery that is the Entropy service may be
misguided, but also happy with the possibility that I might never
have to source a hardware RNG again.
Let's just take the argument posited by the article, that all
(Linux) software should just learn to love /dev/urandom¹, as true.
If you don't agree with this claim, you are disagreeing with some
pretty big names in crypto. The Hacker News commentary on the
article may also prove of interest:
https://news.ycombinator.com/item?id=10149019
At the very least, I feel the Entropy article on the BitFolk Wiki
needs an update in light of this. To justify the service's
existence, if nothing else.
Going further, the question becomes, well, what software is there in
existence that forces use of /dev/random with no configuration that
would allow otherwise? Because even if we agree that all software
*should* be using urandom, if some popular software *refuses* to
without recompile, then we're still going to have to provide an
Entropy service, because doing so is easier than running
non-packaged software.
So Entropy service users, what have you got that uses /dev/random?
Cheers,
Andy
¹ A more correct summary of it is probably, "urandom is fine all the
time except for on initial boot when a small amount of entropy
from outside the CSPRNG is desirable."
On shutdown all fairly modern Linuxes save the current entropy
pool to the filesystem and load it up from there on boot, so it's
only essential on first boot.
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
As a member of the BCS-OSSG committee I thought people here might be
interested in our free Open for Business Conference on Monday 5th September.
http://ossg.bcs.org/ofb2016/
This is the second time that we have run this event and builds on a very
successful event last year. Once again we have a fantastic speaker
line-up to provide many unique insights, including Mike Little,
co-founder of WordPress, and Maarten Ectors, Vice President IoT at
Canonical, with more to be confirmed.
The conference aims to explore key themes in open source software as
they relate to service providers and consumers across both the private
and public sectors.
The conference will once again run as part of the Wuthering Bytes
technology festival, which takes place over the course of 10 days and
features events covering a broad range of open hardware, software and
data topics.
For more information see the websites at http://ossg.bcs.org/ofb2016/ or
http://wutheringbytes.com/ Alternatively, feel free to contact me
directly by replying to this eMail.
Open for Business 2016 is sponsored by the BCS and Embecosm and is free
to attend.
Regards,
@ndy
--
andyjpb(a)ashurst.eu.org
http://www.ashurst.eu.org/
0290 DA75 E982 7D99 A51F E46A 387A 7695 7EBA 75FF
Hi,
By now all customers should have received notification of scheduled
maintenance that will be required due to a serious security flaw in
the hypervisor software that we use (Xen).
If you have not seen an email regarding this then please check your
spam folders etc.
The full details¹ are in the email you've already received and I'm
only sending this so as to have a public notification I can link to
when people raise support tickets to ask what is going on. :)
Anyway, the hosts have all been patched and the maintenance consists
of merely rebooting them to boot into the new hypervisor. This will
happen across three nights.
In previous non-SSD days this used to take around 30 minutes to shut
down all VPSes, reboot and boot them all again. These days I expect
it to be much shorter, maybe 5 minutes. So, you should see a clean
shut down followed by a boot a few minutes later.
It is important that you ensure that your VPS boots cleanly with all
services you expect running to be running. We offer free Nagios
monitoring which can be useful for assuring yourself that everything
you expect to be running really is running. Also if I see Nagios
looks more broken afterwards than it was to start with then I will
have a quick investigate. If interested in having that set up then
please contact support(a)bitfolk.com.
Cheers,
Andy
¹ Well, not any details about the bug itself. These are under
embargo until mid day Tuesday 26 July.
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi,
For about the 5th time in the last 6 months, Spamhaus has listed the
IPv6 address of our support ticket mail host as a spam source.
I have checked every outbound port 25 connection from that host and
verified that the only thing it sends is replies to support tickets.
The previous times this happened I was able to de-list the host, but
this time:
https://www.spamhaus.org/query/ip/2600%253A3c03%253A%253A31%253A2000
just says "invalid input.", so I can't de-list it this time.
Last time this happened I attempted to contact Spamhaus both by
their web contact form and by twitter to ask for more info as to why
they keep listing this host. I have not received a response.
So, all I can conclude is that Spamhaus are wrong. Possibly someone
is automatically reporting ticket responses to them as spam. I can
only recommend not using their "zen" DNSBL for binary blocking
decisions.
If anyone has any contacts at Spamhaus that do actually respond then
I would appreciate you putting me in touch.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi,
I've been working on a really long-requested feature, which is to
allow an address book of multiple contact details:
https://tools.bitfolk.com/redmine/issues/22
I've now done most of the work on the part that lets you store and
manage contacts, but I both hate and am not very good at web work,
so I'm bound to have made some mistakes. Please could you have a
look at it and see if you can break it?
It's at:
https://testpanel.bitfolk.com/account/contacts/#toc-address-book
Log in with your usual credentials, and your multi-factor auth code
if enabled.
All it does right now is let you add and change contact records. It
won't actually make any of your alerts and bills etc go anywhere
different (changing the main contact will, though, as usual). That's
for later.
So, I'm interested to see if you can break it. If you can, an update
at the above redmine page would be appreciated (log in with your
usual BitFolk credentials). Or just mail me off-list if you don't
feel like logging in to redmine.
Complaints about how it *looks* will not be that useful, since I
already know I suck at HTML. If you do have suggestions about how to
improve the aesthetics they should come with example HTML/CSS that
implements your look. :)
After this is working how we want then I intend to disable all of
the roles except alerting, as each role will require a lot of work
elsewhere at BitFolk. I need to also push out some updated
monitoring so I will make it use the alerting role at the same time.
Next will most likely be adding back the billing role, as the main
driver for issue #22 in the first place was for people who want
their billing notifications to go to a different place. They've been
waiting 6 years…
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Hi all,
I just thought I'd report that I recently did a successful
"do-release-upgrade -d" to upgrade my Ubuntu 14.04 vps to 16.04. There
were a few snags but they were of my own making (e.g. failed mysql
reconfigure due to me moving the data directory and apparmor
complaining).
Then tonight I decided to migrate from i386 to amd64 using this guide:
http://www.ewan.cc/?q=node/132
It worked fine.
The main reason for changing architecture was wanting to use repos
provided by powerdns and some other projects which only have 64 bit
packages.
Cheers,
Roger
