1_r/devopsish

PipeWire 0.3.71 is out today as the newest update to this now widely-used open-source solution for managing Linux audio and video streams and serving as a viable replacement to the likes of PulseAudio and JACK for audio needs on the Linux desktop.

Did we forget about .pl, .sh and oh yeah, .com ?

Part of our work at Sternum includes constant security research of IoT vulnerabilities to better understand IoT security gaps, boost the security capabilities of our platform and help device manufacturers improve their security postures. In this post, we wanted to provide a behind-the-scenes look at our work and talk about our latest discovery—a buffer overflow […]

Following in the footsteps of VPNFilter, new firmware obscures hackers' endpoints.

A new division set up by the government to pursue sanctions evasion and technology espionage announced arrests of individuals with ties to foreign governments.

GitHub recently experienced several availability incidents, both long running and shorter duration. We have since mitigated these incidents and all systems are now operating normally. Read on for more details about what caused these incidents and what we’re doing to mitigate in the future.

Sign up for the GI Daily here to get the biggest news straight to your inbox Saudi Arabia's Public Investment Fund has …

Today’s guest is Dagna Bieda, a career coach who specializes in helping developers and engineers level up their careers. She shares why developers should promote the value of their contributions, how soft skills can make or break a coding career, and why a moment of burnout inspired her to start coaching.

Congress has resurrected the Kids Online Safety Act (KOSA), a bill that would increase surveillance and restrict access to information in the name of protecting children online. KOSA was introduced in 2022 but failed to gain traction, and today its authors, Sens. Richard Blumenthal (D-CT) and...

A researcher found that the Telegram app on macOS suffers from a flaw that could be exploited to gain unauthorized access to the camera.

This video provides an overview of how GitOps can help you enhance the security of your cloud native infrastructure and workloads. This video is based on the presentation I gave at ArgoCon: https://youtu.be/nGcvPAQdpVg 🎊 Here is the Demo repository on GitHub: https://github.com/Cloud-Native-Security/gitops-the-magickey 🎊 📚Additional Resources📚 * My weekly DevOps newsletter https://anaisurl.com/newsletter/ * My website https://anaisurl.com/ * Follow me on Twitter https://twitter.com/urlichsanais * GitHub https://github.com/AnaisUrlichs 🥰Ways to support my content work 🥰 * Please subscribe to my YouTube channel to support my content and give this video a Thumbs up if you enjoyed it. * If you want to support me further https://www.buymeacoffee.com/urlichsanais 📝Also, do comment on any topics that you would like to see covered in future videos. 🕒Timestamps🕒 00:00 - Intro 00:29 - Link to Recording 00:52 - GitOps best practices 01:38 - Software Supply Chain 03:28 - Demo Scanning ArgoCD Application Resources 11:28 - Outro

In this series of short stories, I share tricky situations I’ve encountered while leading teams. These experiences have taught me invaluable leadership lessons and greatly influenced my manag…

A provocative paper from researchers at Microsoft claims A.I. technology shows the ability to understand the way people do. Critics say those scientists are kidding themselves.

Developer News

Authors: Anish Ramasekar, Mo Khan, and Rita Zhang (Microsoft) With Kubernetes 1.27, we (SIG Auth) are moving Key Management Service (KMS) v2 API to beta. What is KMS? One of the first things to consider when securing a Kubernetes cluster is encrypting etcd data at rest. KMS provides an interface for a provider to utilize a key stored in an external key service to perform this encryption. KMS v1 has been a feature of Kubernetes since version 1.10, and is currently in beta as of version v1.12. KMS v2 was introduced as alpha in v1.25. Note The KMS v2 API and implementation changed in incompatible ways in-between the alpha release in v1.25 and the beta release in v1.27. The design of KMS v2 has changed since the previous blog post was written and it is not compatible with the design in this blog post. Attempting to upgrade from old versions with the alpha feature enabled will result in data loss. What’s new in v2beta1 ? The KMS encryption provider uses an envelope encryption scheme to encrypt data in etcd. The data is encrypted using a data encryption key (DEK). The DEKs are encrypted with a key encryption key (KEK) that is stored and managed in a remote KMS. With KMS v1, a new DEK is generated for each encryption. With KMS v2, a new DEK is only generated on server startup and when the KMS plugin informs the API server that a KEK rotation has occurred. Caution If you are running virtual machine (VM) based nodes that leverage VM state store with this feature, you must not use KMS v2. With KMS v2, the API server uses AES-GCM with a 12 byte nonce (8 byte atomic counter and 4 bytes random data) for encryption. The following issues could occur if the VM is saved and restored: The counter value may be lost or corrupted if the VM is saved in an inconsistent state or restored improperly. This can lead to a situation where the same counter value is used twice, resulting in the same nonce being used for two different messages. If the VM is restored to a previous state, the counter value may be set back to its previous value, resulting in the same nonce being used again. Although both of these cases are partially mitigated by the 4 byte random nonce, this can compromise the security of the encryption. Sequence Diagram Encrypt Request kube_api_server: create/update resource that's to be encrypted kube_api_server-kube_api_server: encrypt resource with DEK kube_api_server-etcd: store encrypted object ``` -- Decrypt Request kube_api_server: get/list resource that's encrypted kube_api_server-etcd: get encrypted resource etcd-kube_api_server: encrypted resource alt Encrypted DEK not in cache kube_api_server-kms_plugin: decrypt request kms_plugin-external_kms: decrypt DEK with remote KEK external_kms-kms_plugin: decrypted DEK kms_plugin-kube_api_server: return decrypted DEK kube_api_server-kube_api_server: cache decrypted DEK end kube_api_server-kube_api_server: decrypt resource with DEK kube_api_server-user: return decrypted resource ``` -- Status Request kms_plugin: status request kms_plugin-external_kms: validate remote KEK external_kms-kms_plugin: KEK status kms_plugin-kube_api_server: return status response {"healthz": "ok", key_id: "", "version": "v2beta1"} alt KEK rotation detected (key_id changed), rotate DEK Note over kube_api_server,external_kms: Refer to Generate Data Encryption Key (DEK) diagram for details end end ``` -- Generate Data Encryption Key (DEK) kube_api_server: generate DEK kube_api_server-kms_plugin: encrypt request kms_plugin-external_kms: encrypt DEK with remote KEK external_kms-kms_plugin: encrypted DEK kms_plugin-kube_api_server: return encrypt response {"ciphertext": "", key_id: "", "annotations": {}} ``` -- Performance Improvements With KMS v2, we have made significant improvements to the performance of the KMS encryption provider. In case of KMS v1, a new DEK is generated for every encryption. This means that for every write request, the API server makes a call to the KMS plugin to encrypt the DEK using the remote KEK. The API server also has to cache the DEKs to avoid making a call to the KMS plugin for every read request. When the API server restarts, it has to populate the cache by making a call to the KMS plugin for every DEK in the etcd store based on the cache size. This is a significant overhead for the API server. With KMS v2, the API server generates a DEK at startup and caches it. The API server also makes a call to the KMS plugin to encrypt the DEK using the remote KEK. This is a one-time call at startup and on KEK rotation. The API server then uses the cached DEK to encrypt the resources. This reduces the number of calls to the KMS plugin and improves the overall latency of the API server requests. We conducted a test that created 12k secrets and measured the time taken for the API server to encrypt the resources. The metric used was apiserver_storage_transformation_duration_seconds . For KMS v1, the test was run on a managed Kubernetes v1.25 cluster with 2 nodes. There was no additional load on the cluster during the test. For KMS v2, the test was run in the Kubernetes CI environment with the following cluster configuration . KMS Provider Time taken by 95 percentile KMS v1 160ms KMS v2 80μs The results show that the KMS v2 encryption provider is three orders of magnitude faster than the KMS v1 encryption provider. What's next? For Kubernetes v1.28, we expect the feature to stay in beta. In the coming releases we want to investigate: Cryptographic changes to remove the limitation on VM state store. Kubernetes REST API changes to enable a more robust story around key rotation. Handling undecryptable resources. Refer to the KEP for details. You can learn more about KMS v2 by reading Using a KMS provider for data encryption . You can also follow along on the KEP to track progress across the coming Kubernetes releases. Call to action In this blog post, we have covered the improvements made to the KMS encryption provider in Kubernetes v1.27. We have also discussed the new KMS v2 API and how it works. We would love to hear your feedback on this feature. In particular, we would like feedback from Kubernetes KMS plugin implementors as they go through the process of building their integrations with this new API. Please reach out to us on the #sig-auth-kms-dev channel on Kubernetes Slack. How to get involved If you are interested in getting involved in the development of this feature, share feedback, or participate in any other ongoing SIG Auth projects, please reach out on the #sig-auth channel on Kubernetes Slack. You are also welcome to join the bi-weekly SIG Auth meetings , held every-other Wednesday. Acknowledgements This feature has been an effort driven by contributors from several different companies. We would like to extend a huge thank you to everyone that contributed their time and effort to help make this possible.

YouTube TV is up 5 percent, and that's before NFL Sunday Ticket kicks in.

This blog post is written by Pranaya Anshu, EC2 PMM, and Sid Ambatipudi, EC2 Compute GTM Specialist. Amazon EC2 Spot Instances are a powerful tool that thousands of customers use to optimize their compute costs. The National Football League (NFL) is an example of customer using Spot Instances, leveraging 4000 EC2 Spot Instances across more […]

People from marginalized groups often experience subtle negative actions called microaggressions that, in aggregate, can adversely affect both performance and well-being. Based on a wide body of research in positive psychology and management, the authors propose a counterstrategy: Microvalidations. These are equally subtle but powerful actions or language that demonstrate affirmation, encouragement, and belief in a person’s potential. They include: Acknowledging presence, validating identity, voicing your appreciation, holding people to high standards, and affirming leadership potential and status.

The agency tasked with securing America's airports is testing the use of facial recognition technology at a number of airports across the country. The Transportation Safety Administration says the technology is an effort to more accurately identify the millions of passengers traveling through its airports every day and that passengers can opt out. The technology is both checking to make sure the person at the airport matches the ID presented and that the identification is in fact real. It's currently at 16 airports. Critics have raised concerns about questions of bias in facial recognition technology and possible repercussions for passengers who want to opt out.

This year’s Maintainer Month feels different given what’s happening with the European Cyber Resilience Act. Their role is under more...

GitHub Actions as CI for Go. Contribute to mvdan/github-actions-golang development by creating an account on GitHub.

Visit us at https://cloudnativeday.ch Abstract Rust is fashionable, but is it right for your team? This talk explains the benefits of the Rust programming language and provides some rationale behind the hype. It’ll then spend some time outlining decision criteria for adopting Rust and provide plan for incremental adoption, if that’s what your team decides to do. Bio Tim is a software developer and data scientist from New Zealand who also has an academic background in the humanities. He is an expert in natural language processing and data engineering. He is the author of Rust in Action and makes use of the Rust programming language to build everything from data processing pipelines to generative art. Through his book and online video tutorials, Tim has helped tens of thousands of people learning to program with Rust.

Open source is people and people are open source. Duane O’Brien talks about what he’s learned about supporting, connecting with, and caring for the critical human infrastructure of open source.

We take a look at YouTube's testing of ad blocking detection and why it might not be popular with users.

Getting Started with networkQuality The networkQuality tool is a built-in tool released in macOS Monterey that can help diagnose network issues and measure network performance. In this post, we'll go over how to use the networkQuality tool and some of its key features. Running the Default Tests To access the

As part of the Red Hat layoffs announced in April with around a 4% reduction in headcount for the IBM-owneed company, one of the surprising casualties from that round of cost-cutting is the Fedora Program Manager.