Minikube + Cilium on Ubuntu 18.04

We're investigating Kubernetes network overlays at work and I am spinning up sample environments to try things out. One that stands out so far is Cilium due to the fine-grained access controls that can be enforced. They have instructions for how to deploy on Minikube, but it took some finangling for me to be successful with my deployment configuration (Ubuntu 18.04 Server running Minikube 'local' without vagrant).

To cut to the chase, skip to the end to see a deploy script that deploys everything in order.

How to Develop a Thunderbird 60 Add-On (2018)

I've had an idea kicking around in the back of my mind for the last few months to create a Thunderbird extension that will indicate if an email sender's domain was recently registered and alert me. With the poor state of Thunderbird add-on documentation it is a real struggle to get started with anything beyond the most basic 'hello-world' extension. This time I decided to double-down and fight my way through to develop a working (Alpha quality) plugin that accomplishes my design.

If you are thinking about developing an extension for Thunderbird 60 and would like some pointers, read on for my choppy journey through Thunderbird extension development. Hopefully one or more of the pointers will save you time

Private Docker Registry 'x509: certificate signed by unknown authority'

While setting up a new private docker image registry with certificates signed by an internal certificate authority this week we ran into an issue getting our docker nodes to communicate:

Error response from daemon: Get https://private.registry.tld/v2/: x509: certificate signed by unknown authority

Following the guidance on self-signed certificates from Docker did not directly address the issue.

Using NodeJS to Connect to Elasticsearch with a Private Certificate Authority

I was asked to help troubleshoot a NodeJS project recently where the team was encountering trouble connecting to an elasticsearch instance securely (via https/tls). They would get an error back about 'self signed certificate in certificate chain`. In examining further, we were able to come up with a client configuration for the elasticsearch library that addressed the issue.

Notes on Navigating an AWS s3 Glacier Restore

Yesterday marked a first for me: I had to restore a few objects from a large S3 bucket that was backed up to Glacier. Along the way I learned a few things:

  1. Objects sent to glacier permanently retain the GLACIER storage class
  2. If your S3 objects were replicated across an AWS Account boundary, you might not have 'full control' of your objects (but AWS will gladly let you pay them to store them)
  3. The AWS CLI is unhelpful when it comes to recursively copying objects that are restored from glacier

The objects can be restored and downloaded, it just takes some specific knowledge

Exploring the Qualys API with golang

This past week I've been getting to know the Qualys API by writing an integration with Go. Along the way I've found some quirks that are worth mentioning for anyone getting to know the Qualys platform at the API level.

To jump straight to the sample code repository, you can go to the qualys-api-samples repo on GitHub.

Get Started with SQLBoiler [SQLite]

Over the last year I've been learning the Go programming language and overall it's been a pretty positive experience- except when it comes to quickly and easily interfacing with databases. While Go does include a 'sql' package targeted at low level interaction with database backends, out of the box you are not provided with something higher level (think rails ActiveRecord). For higher level abstraction there are many community supported packages available, which makes it time consuming to try/test each one and see if it fits your needs. Today I'm writing about SQLBoiler, specifically about working with its SQLite integration.

Update (2018-10-25): Now includes instructions for building sqlboiler as well as sqlboiler-sqlite3 and ensuring both of them are in the same directory or system path before usage.

EC2 Metadata Extractor

While performing a security assessment this last week I found that the applications ran in a containerized environment on AWS EC2 instances. The EC2 meta-data service was available to be queried from within these application containers (not a best practice) and exposes a rich array of information for any would-be attackers who can gain a shell into the container or cause the application to perform SSRF against the local metadata service endpoint.

I wanted a quick way to query all of the meta data and user-data exposed by the EC2 meta-data service and created this metadata extractor script.

Get SmallWorld 2 running on Ubuntu 16.04

I'm a big fan of the Small World board game and was pleased to see they have a version available on Steam. Unfortunately it did not run correctly on my primary system (Ubuntu 16.04). In fact, it did not start at all. When I ran it at the CLI I found error messages that aided me in my quest to get the game running. Read on for the details.

DEF CON 26 Notes

This is my 6th DEF CON and I plan on coming back for more! There is a lot of life and energy at the con that I haven't been able to find at other conferences. A big appeal to me is that DEF CON itself is kind of a wrapper event where you find a number of mini-conferences (called Villages), so even if the main tracks don't interest you, odds are you'll find something at the 27-ish villages that run at the same time.