BitFolk Users January 2017

users@mailman.bitfolk.com

3 participants
9 discussions

Dear Entropy service users, what software uses /dev/random?

by Andy Smith

Hi, If you do not use BitFolk's Entropy service and have no interest in doing so then this email will be of little interest to you can be safely ignored. If you haven't heard about the Entropy service before, please see: https://tools.bitfolk.com/wiki/Entropy If you *do* use the Entropy service though, I'm interested to know what software you have that actually uses /dev/random (and not /dev/urandom). Some background to this question: To provide the Entropy service we use hardware entropy generators, currently exclusively a pair of EntropyKeys manufactured by a UK company called Simtec Electronics Ltd. Despite the fact that these were extremely popular little devices (compared to other fairly niche little gadgets), Simtec always had a supply problem and then Simtec imploded as a company, so as far as I know these are now impossible to obtain, the IP is lost forever etc. Although I have one spare EntropyKey ready to put in service should one of the two in service ever die (I've not experienced that yet), that left me slightly worried as to what I'd do if I needed to get more. Then I saw the OneRNG kickstarter, and decided to pledge. So now I have 5 of (the internal USB version of) these: http://onerng.info/ I've not yet gone any further than verifying that they keep the entropy pool full on the machine they're plugged into, but that's good enough for now. Could be a decade before one of my existing EntropyKeys dies. I have since heard that this device proved far more popular than its manufacturer expected (sense a theme?) and they're now extremely difficult to get hold of because they need to get a new batch made in China. I've had multiple people contacting me on the basis of a tweet I did about getting these, asking me to sell them mine (which I would, but they didn't want internal USB). The point I'm trying to make here is that the world of hardware random number generators is not one with reliable supply lines, unless you want to spend a fortune on some black box. So when I came across: http://www.2uo.de/myths-about-urandom/ I was sad that the nerdery that is the Entropy service may be misguided, but also happy with the possibility that I might never have to source a hardware RNG again. Let's just take the argument posited by the article, that all (Linux) software should just learn to love /dev/urandom¹, as true. If you don't agree with this claim, you are disagreeing with some pretty big names in crypto. The Hacker News commentary on the article may also prove of interest: https://news.ycombinator.com/item?id=10149019 At the very least, I feel the Entropy article on the BitFolk Wiki needs an update in light of this. To justify the service's existence, if nothing else. Going further, the question becomes, well, what software is there in existence that forces use of /dev/random with no configuration that would allow otherwise? Because even if we agree that all software *should* be using urandom, if some popular software *refuses* to without recompile, then we're still going to have to provide an Entropy service, because doing so is easier than running non-packaged software. So Entropy service users, what have you got that uses /dev/random? Cheers, Andy ¹ A more correct summary of it is probably, "urandom is fine all the time except for on initial boot when a small amount of entropy from outside the CSPRNG is desirable." On shutdown all fairly modern Linuxes save the current entropy pool to the filesystem and load it up from there on boot, so it's only essential on first boot. -- http://bitfolk.com/ -- No-nonsense VPS hosting

7 years

Debian stretch (9.x) installer now available for self-install

by Andy Smith

Hello, What will become Debian stretch (9.x) is going to be frozen on 5 February: https://wiki.debian.org/DebianStretch and presumably released relatively soon after that, so we've added stretch to our self-installer. If you are keen on testing a new install of it you should now be able to use that. Bear in mind it still is Debian "testing" though, not a release yet, so there may be issues you will need to report to Debian. More info on the self-installer: https://tools.bitfolk.com/wiki/Using_the_self-serve_net_installer Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting _______________________________________________ announce mailing list announce(a)lists.bitfolk.com https://lists.bitfolk.com/mailman/listinfo/announce

8 years

Cheap archive storage now available

by Andy Smith

Hello, In late 2015 / early 2016 when we started switching to all-SSD storage, some customers expressed a wish for cheaper but less performant archive storage. This is now available for purchase in blocks of 50GiB at £0.40+VAT per month, £1.10+VAT per quarter or £4.00+VAT per year. It's therefore one tenth the price of regular SSD storage. If you'd like to purchase some then please send an email to support(a)bitfolk.com. At the moment we would need to move your VPS to different servers to give you access to archive storage, but that tends to only take a couple of minutes. Here's some more information on this: https://tools.bitfolk.com/wiki/Archive_storage Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting Please consider the environment before reading this e-mail. — John Levine _______________________________________________ announce mailing list announce(a)lists.bitfolk.com https://lists.bitfolk.com/mailman/listinfo/announce

8 years

Backups deduplication testing - volunteers wanted

by Andy Smith

Hi, I'd like to experiment with deduplicating backups. Here's some previous experimentation I already did: http://strugglers.net/~andy/blog/2017/01/10/xfs-reflinks-and-deduplication/ Given that what I am proposing to test involves using the 4.9.x range of kernels, a git checkout of xfsprogs, and an experimental mkfs.xfs option, it is clearly not without risk. And understandably I suspect most people don't want to play with such risk when it's their backups at stake. I've had ~100GiB of my own backups running under this for a couple of weeks and I think it's been okay, but still… So to hopefully get things started I'm prepared to offer the first 2GiB of backups for free. And I'll offer a 25% discount on backup space beyond that. And I'll sell it in 1GiB blocks, not 5GiB ones. So that's £0.06/GiB/month, or £0.17/GiB/quarter, or £0.60/GiB/year. If you are interested in giving it a go please drop an email to support(a)bitfolk.com. As I say, it will be free for up to 2GiB. But it might break horribly and have to be withdrawn at any time, so I won't be at all surprised if you can't be bothered with that sort of faff. The boring old backup service still exists: https://tools.bitfolk.com/wiki/Backups Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting

8 years, 1 month

~1 hr authoritative DNS outage on a.authns.bitfolk.co.uk

by Andy Smith

Hi, From around 02:50 for about 1 hour there was an outage of the authoritative DNS service on a.authns.bitfolk.co.uk. Those of you making use of the service probably could not fail to notice as you will have received PROBLEM and then RECOVERY alerts about it for each domain. This was simply due to me making a mistake in a firewall rule. :( It was a bit more complicated than that as it didn't take effect until hours after some other change I made and even while seeing the alerts myself it took me some time to work out exactly what had happened. Auth. DNS service was still working on {b,c}.authns.bitfolk.com so this shouldn't have had too bad an effect on actual service. Somewhat ironically, this happened due to work I was doing to isolate a.authns to make it safer to make changes! Once that is completed it should be harder to break it in this fashion. Apologies for the disruption, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting _______________________________________________ announce mailing list announce(a)lists.bitfolk.com https://lists.bitfolk.com/mailman/listinfo/announce

8 years, 1 month

Fwd: [oshug-announce] Personal Privacy Online (The Dark Web, Investigatory Powers Act), Thursday 19th January.

by Andy Bennett

Hi Peeps! I hope you're all having a good New Year. Please find attached some details of some talks we're hosting at the BCS near Covent Garden on Thursday. I think these will be interesting and relevant to you guys; they're about the Investigatory Powers Act and The Dark Web. It should be an excellent evening. Regards, @ndy -- andyjpb(a)ashurst.eu.org http://www.ashurst.eu.org/ 0x7EBA75FF

8 years, 1 month

Someone seems to be wiping open MongoDB servers

by Andy Smith

Hello, According to: https://twitter.com/0xDUDE/status/813865069218037760 someone is now wiping out the contents of open MongoDB servers and demanding payment in Bitcoins to return the data. A good reminder to properly secure things like MongoDB by only letting them run on localhost, and/or firewalling them off. Open MongoDB is one of the things we nag you about but don't go any further than nagging. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting

8 years, 1 month

How to handle unresponsive customers with issues that cannot be ignored

by Andy Smith

Hi, As you may be aware there are a few things that we (or third party services on our behalf) scan for on our own network. A non-exhaustive list of these things are: - Open SNMP servers - Open DNS resolvers - Open portmapper services - Open MongoDB / Memcached / Elasticsearch / Redis - Open Remote Desktop - Open multicast DNS (Avahi) - Open TFTP server - SSLv3/Poodle vulnerable services …and so on. Where these can only negatively affect the operator of the service (e.g. SSLv3/Poodle or an open MongoDB), we are content to just email you forever. However, many of these problems are worth scanning for because they are easily and frequently used to attack other hosts. For example, any "chatty" UDP protocol like portmapper or DNS can receive spoofed requests which will amplify, making for a DDoS on a third party. So, when we email customers about these it's because we need them fixed. Unfortunately some customers are either not receiving these emails or are happy to ignore them, for months at a time, basically until we open a support ticket with them and ask why they aren't dealing with it. This is taking up too much human time. "We did not receive the email" is now no longer a valid excuse because there is provision in our web panel for an emergency/alternate contact: https://panel.bitfolk.com/account/contacts/#toc-address-book If we've been emailing a customer for weeks about this then we will have also sent a copy to the emergency/alternate contact at some point. So, I would like your opinions on how you think we should deal with this. Two proposals I can think of are: a) After at least 21 days of sending email alerts to the main contact and the emergency contact and receiving no response, a firewall rule will be added to block the problematic service and an invoice will be raised for a managed firewall service, which will be a monthly recurring charge. This will be quite expensive. Or: b) After at least 21 days of sending email alerts to the main contact and the emergency contact and receiving no response, the VPS's networking will be suspended. Networking will be re-enabled when contact is re-established and a plan for securing the problem service is agreed by both BitFolk and the customer. I have already broached this question on IRC and basically no one was in favour of (a) because they did not feel that surprise invoices would go down well. If you have other suggestions for how it should be handled I would be happy to read and consider them. Ideas that involve either not dealing with the problematic services or that aren't suitable for automation are not likely to be acceptable though. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting

8 years, 1 month

How to make Bitcoin overpayments

by Andy Smith

Hi, No doubt because of the surge in price of Bitcoin recently, I've had a few queries about how to pay more than the value of an existing outstanding invoice by Bitcoin. With more usual payment methods like PayPal or bank transfers it is simple to just send us an arbitrary amount of money. If you have outstanding invoices then they get paid, and any left over goes to account credit. The same is not true of Bitcoins because at the moment we can't hold account credit in Bitcoins. It would be technically possible of course, but I do not want BitFolk to be an entity that holds funds in Bitcoins, for a variety of security and regulatory reasons. That means that we can only process Bitcoins by immediately turning them into British Pounds (GBP). Our Bitcoin payment system presents a payment request for the exact Bitcoin equivalent that we're prepared to accept at that point in time. We do not recommend manually editing the payment request in order to pay more as the chance of a typo causing you to send it all to the wrong address is high. If you do want to pre-pay an amount in Bitcoins though, all is not lost. Please contact support stating roughly how much you'd like to pay. We'll create an invoice (in GBP) that roughly matches that amount. When you pay it the GBP sum will go on your account as credit. This may be useful if you have some Bitcoins burning a hole in your virtual wallet and want an easy way to cash out, since many virtual currency marketplaces want lots of personal information about you, and/or are risky. This pre-payment issue was actually considered already and put in the Bitcoin payments FAQ¹ almost 3 years ago, but I am not surprised that it is not known about. https://tools.bitfolk.com/wiki/Bitcoin#Can_I_preload_my_BitFolk_account_usi… (or https://is.gd/7Z5JXv) Please note that: 1) There is going to be a limit to the acceptable amount of such a transaction, as our Bitcoin payment processor would still be left holding that amount of Bitcoins and exposing themselves to risk. A very large transaction would also bring Know Your Customer / Anti-Money Laundering concerns. In the context of how much BitFolk's services cost I wouldn't expect that to be an issue and we will deal with it on a case by case basis. 2) These prepayments will not be refundable. We are not a virtual currency exchange. You would be buying a voucher for use of BitFolk's services. So no paying hundreds of GBP worth of Bitcoin and then immediately asking for it back as GBP. :) Cheers, Andy ¹ https://tools.bitfolk.com/wiki/Bitcoin#Can_I_preload_my_BitFolk_account_usi… or https://is.gd/7Z5JXv -- https://bitfolk.com/ -- No-nonsense VPS hosting _______________________________________________ announce mailing list announce(a)lists.bitfolk.com https://lists.bitfolk.com/mailman/listinfo/announce

8 years, 1 month

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

BitFolk Users January 2017