Capsicum and bhyve

Ever wondered how to protect your host from malicious activity in vm guests? How to keep parts of the hypervisor running in userspace from being a source of access to underlying host? One of the layers can be sandboxing the hypervisor itself!

Continue Reading

Hi Fitbit, congrats on learning how to use CSRF tokens (almost)!

I got my first Fitbit tracker a couple of years ago and I’ve been a loyal Fitbit user since – I’m currently on my 3rd tracker and my family has them too. Very quickly I became interested in getting a bit more information out of my data, charting it across other health data I have available – so I went on to Fitbit’s website, as I was quite sure they must have an API, right? Yes, they do. And yes, I can use it for free. Because, as Fitibit says, “your data is yours”. Awesome.
And then it turned out it’s not as much “my data” as “my totals”. Fitbit’s public API could only give me aggregated data for each day, total number of steps each day, averages, etc. I wanted to get a count of my steps for each 5-minute period, the same as I can see on Fitbit’s dashboard when I log in. It turned out that was not possible, unless I had a commercial application, submit a request to Fitbit, and they decide it’s worth it. Boo. (Please refer to the bottom of this post for a note of the state of the API today)

Continue Reading

SELinux, confined users and Systemtap

While we’re waiting for CVE-2016-5195 to be patched, RedHat released a workaround for the most common form of the exploit being run in the wild. It uses systemtap to block access to mem_write function.

I wanted to apply it and started tests, only to find that stap returned EPERM while loading the module! As I’m running with SELinux enabled, I checked the /var/log/audit/audit.log. Surprisingly there was no AVCs with deny! Although most of the calls are audited, you can mark some to be silently dropped by audit. You can disable that filter using semanage dontaudit off. I run stap again and… bingo!

Continue Reading

Copying RDS snapshot to another region for cross-region recovery

For an updated ready-to-use CloudFormation template of this code, see newer post: Complete code: cross-region RDS recovery.

Amazon RDS is a great database-as-a-service, which takes care of almost all database-related maintenance tasks for you – everything from automated backups and patching to replication and fail-overs into another availability zones.

Unfortunately all of this fails if the region where your RDS is hosted fails. Region-wide failures are very rare, but they do happen! RDS does not support cross-region replication at the moment, so you cannot simply create a replica of your database in another region (unless you host the database on an EC2 instance and set up the replication yourself). The second best option, to make sure you can restore your service quickly in another region, is to always have a copy of your latest database backup in that region. In case of RDS, that can mean copying automated snapshots. There is no option for AWS to do it automatically, but it can be easily scripted with AWS Lambda functions.

Continue Reading

FreeBSD on Raspberry Pi 3!

On Friday, 14th October, Oleksandr Tymoshenko committed an initial support for RPI3 into FreeBSD. The system is able to boot in multiuser mode with single processor. SMP is being actively worked on. For now, only the on-board Ethernet chip is supported and we will need to wait a while for a WiFi and Bluetooth support. The port is quite usable, and what’s more interesting – it’s full 64bit!

Continue Reading