Skip to content


Links for 2015-04-26

  • StackShare

    ‘Discover and discuss the best dev tools and cloud infrastructure services’ — fun!

    (tags: stackshare architecture stack ops software ranking open-source)

  • OWASP KeyBox

    a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user’s public SSH keys. Key management and administration is based on profiles assigned to defined users. Administrators can login using two-factor authentication with FreeOTP or Google Authenticator . From there they can create and manage public SSH keys or connect to their assigned systems through a web-shell. Commands can be shared across shells to make patching easier and eliminate redundant command execution.

    (tags: keybox owasp security ssh tls ssl ops)

  • 32-bit overflow in BitGo js code caused an accidental 85 BTC transaction fee

    Yes, this is a fucking 32-bit integer overflow. Whatever software was used, it calculated the sum of all inputs using 32-bit variables, which overflow at about 20 BTC if signed or 40 BTC if not. The fee was supposed to be 0xC350 = 50,000 satoshis, but it turned out to be 0x2,0000,C350 = 8,589,984,592 satoshis. Captains of the industry. If they were captains of any other industry, like say for example automotive, we’d have people dying in car crashes between two stationary vehicles.

    (tags: bitcoin fail bitgo javascript bugs 32-bit overflow btc)

  • Eight Docker Development Patterns

    good Docker tips

    (tags: tips docker ops deployment)

  • Google Online Security Blog: A Javascript-based DDoS Attack [the Greatfire DDoS] as seen by Safe Browsing

    We hope this report helps to round out the overall facts known about this attack. It also demonstrates that collectively there is a lot of visibility into what happens on the web. At the HTTP level seen by Safe Browsing, we cannot confidently attribute this attack to anyone. However, it makes it clear that hiding such attacks from detailed analysis after the fact is difficult. Had the entire web already moved to encrypted traffic via TLS, such an injection attack would not have been possible. This provides further motivation for transitioning the web to encrypted and integrity-protected communication. Unfortunately, defending against such an attack is not easy for website operators. In this case, the attack Javascript requests web resources sequentially and slowing down responses might have helped with reducing the overall attack traffic. Another hope is that the external visibility of this attack will serve as a deterrent in the future.
    Via Nelson.

    (tags: google security via:nelson ddos javascript tls ssl safe-browsing networking china greatfire)