Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news.
This week, Nick was out so our producer, Nica, kindly filled in.
Eric and Nica discussed:
- Kubernetes 1.24 delayed to May 3rd
- 3 steps to prepare for Dockershim removal
- Talos Linux reaches 1.0
- ssh and sshd commands in the new OpenSSH 9
- Hardware-assisted security on the rise
- Spring4Shell exploited to launch Mirai botnet
- NFT slowdown
- The ongoing Musk and Twitter saga
You can watch the full replay here.
Kubernetes 1.24 delayed to May 3rd
After an update to Go was pushed to this week, the release of Kubernetes 1.24 has seen a delay as well. Originally scheduled for April 19th, 1.24 is now slated to drop on May 3rd.
We’ll be talking about the new release more in the coming weeks — it promises some notable new features like more granular monitoring and time zones for cron jobs, but the big story for 1.24 has long been the finalization of dockershim removal. This has been an object of anticipation for a lot of folks for some months now, but as Nick has noted in past episodes, this is more the sort of change you want to keep informed about rather than something to really angst over.
3 steps to prepare for Dockershim removal
Kubernetes was originally designed to use Docker as its container runtime. As the system developed, it shifted to use more generic tooling like the open source containerd, which is the technology underlying Docker. For those who depend specifically on Docker features, Mirantis can help you with that – contact us to talk about how you can avoid any speedbumps.
But many, many users don’t rely on Docker specific features, and for those folks, Container Journal published a nice piece on prepping for Dockershim’s removal.
- Check your clusters for Docker dependencies. In this step, you’re basically looking for any Docker-specific configurations wherever they might crop up: anything using Docker commands, and anything that might be plugged directly into Docker like a private registry.
- Move to another CRI. If you’re moving away from dockershim, you’ll need to choose another runtime. Many users will want to shift to the open source containerd or CRI-O. We also humbly suggest Mirantis Container Runtime, which is a good choice for enterprises since it can enforce FIPS-140-2 compliance and run natively on Windows.
- Tweak your Kubernetes infrastructure as needed. The article notes, “Keep an eye on elements like runtime resource limitations, logging configuration or tools that require direct access to Docker Engine. Double-check that any special hardware integrates correctly with your runtime and Kubernetes; finally, test any plugins that require docker CLI or the control socket and any node provisioning scripts that use Docker via their control socket.”
Of course, you can continue using Docker for workflows outside of the Kubernetes cluster, since most runtimes use Open Container Initiative standards. But now is a good time to evaluate for any Docker-specific approaches that might cause hiccups in the cluster in a couple weeks.
Talos Linux reaches 1.0
The forthcoming Kubernetes release isn’t the only thing going in the world of cloud native. Last week saw an exciting 1.0 release for the Talos Linux project.
Talos describes itself as a “container-optimized Linux distro” tailored for distributed systems like Kubernetes. It’s designed for both immutability and efficiency, so with a footprint of just about 75mb you get a Linux distribution that can host Kubernetes. Cutting out the fat on the OS can also provide security benefits, removing a number of attack surfaces. Notably, Talos is managed by API, and forgoes even a shell or ssh.
Congrats to the Talos team on their milestone release. We’ll certainly be watching this one in the future.
Source: What’s New in Talos 1.0 | Talos
ssh and sshd commands in the new OpenSSH 9
Speaking of new releases and SSH, OpenSSH 9 is here, and the top-billed new feature gives us a nice segue into the security corner for this week.
With this release, the ssh and sshd commands will, “use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default…The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo.”
Now, my science fiction brain can’t help but construe this as a defense against quantum hackers from the future, but the reality is a little more mundane. In past episodes, we’ve talked about “steal now and decrypt later” attacks whereby hackers nab data that they can’t actually decrypt in the moment, in anticipation of future advances in quantum computing making it possible at a later date. This move is designed to protect SSH session ciphertext against such attacks, drawing on the Nth degree truncated polynomial ring units (or NTRU) cryptosystem, a current leading candidate for protection against cryptographically relevant quantum computers—which remain, for the moment, hypothetical.
Source: Release Notes | OpenSSH
Hardware-assisted security on the rise
A recent study from Intel finds that 47% of surveyed organizations plan to adopt hardware-assisted security solutions in the next year, up from the 36% who currently use them.
The basic concept of hardware-based security is, of course, in no way new…retro-computing fans and viewers of a certain age may think fondly of images like this…
Thanks to flickr user Francois Lopez for that image. The key locks of the 80s and 90s tended to block keyboard input, turn off hard drive access, or sometimes just lock the case. Modern hardware-assisted security solutions are a bit more sophisticated, often integrating security checks and visibility at the silicon level to detect Advanced Persistent Threat (or APT) attacks on device firmware.
Intel of course has a vested interest here, so you want to read their conclusions advisedly. But the study, conducted by the Ponemon Institute, casts a pretty wide net, surveying more than 1,400 professionals responsible for IT security decisions in organizations across the Americas, Europe, Africa, and the Middle East.
Some other notable findings from the study:
- The top areas of focus for security innovation within organizations today are security automation (41% of respondents), security at the silicon level (40% of respondents), cloud migration (40% of respondents), and education and training (38% of respondents).
- Of the 36% of organizations using hardware assisted security solutions, 32% of respondents have implemented a Zero Trust infrastructure strategy, and 75% of respondents expressed increased interest in Zero Trust models as the pandemic continues and the remote workforce grows.
- Some of the news is concerning! Only 48% of respondents say they have visibility into newly disclosed vulnerabilities and patches/updates, and 42% report that they primarily focus on security updates for the latest product generation, leaving legacy systems to languish.
Spring4Shell exploited to launch Mirai botnet
Last week we discussed the Spring4Shell vulnerability and noted that it probably wasn’t quite as catastrophic as Log4Shell, given its somewhat narrower conditions for exploitation. But according to a report from Trend Micro, the vulnerability is being exploited in the wild—in this case, to launch a Mirai botnet, which can then be used for phishing and DDoS attacks.
The exploit identified by Trend Micro seems to have occurred on servers in the Singapore region. With attackers making thousands and thousands of attempts to exploit Spring4Shell and focusing particularly on organizations in the software industry, it’s worth reviewing the conditions for vulnerability. If you’re using…
- Spring Framework versions before 5.2.20, 5.3.18, and Java Development Kit (JDK) version 9 or higher
- Apache Tomcat
- Spring-webmvc or spring-webflux dependency
- Spring parameter binding configured to use Plain Old Java Objects (POJOs) or other non-basic parameter types
- WAR file packaging
- Writable file systems
…then you want to prioritize mitigation. Spring released a fix on March 31st, and the Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to patch as soon as possible.
In the meantime, Trend Micro suggests a couple more mitigation measures to use until the patch is in place:
- Maintaining a disallow or blocklist in web application firewall to block strings that contain values such as “class.*”, “Class.*”, “*.class.*”, and “*.Class.*”
- Downgrading to a lower JDK version such as version 8 might help. However, it could impact application features and open doors to other attacks mitigated in higher versions of JDK.
Over in the world of crypto, NFT data aggregator CryptoSlam reported that the global volumes of NFT sales was down by 50% since January, declining from $4.6 billion to $2.4 billion.
In a TechCrunch story, the founder of the Burnt Finance auction platform, who goes by “Burnt Banksy” because of course they do, blames the slump on “weak projects with loosely tied communities,” which is adorable.
TechCrunch notes that when you look at the sales volume numbers more closely, you see that there is a sort of bifurcation in the market. “Blue chip” NFTs—the big names, at least in the niche—are growing at rates of around 150 to 200%, while sales across the wider marketplace are broadly and dramatically down, which has prompted the owners of those blue-chip NFTs to focus on lending and perhaps in turn acquire more assets. You could say we’re seeing a sort of centralization of the marketplace. We’ll just have to see whether that continues.
The ongoing Musk and Twitter saga
And speaking of uncertainty, last episode we talked about Elon Musk cramming a whole season of prestige TV boardroom drama into seven days by buying 9% of Twitter shares, being invited to join the board, and polling Twitter users on an edit feature.
The saga continued this week with a dramatic reversal–the company announced that Musk will not, in fact, join the board of directors. While the exact circumstances of the reversal are murky, they arguably leave Musk in a more powerful position by not formalizing his role. As a board member, he would be subject to fiduciary responsibility rules and a 14.9% limitation on stock ownership. As a private shareholder, he faces no such constraints. And evidently he would like everyone to know he faces no such constraints, since Monday he filed a peculiar brief with the US Securities and Exchange Commission asserting that he is free to buy as much of Twitter as he would like. He added, “Now I am more powerful than you can possibly imagine.”
…okay, that last bit isn’t true, but it does feel like the sort of thing he might say to the SEC, with whom he enjoys an…adversarial relationship. Musk is currently under investigation by the agency on a variety of fronts, including for various tweets about Tesla, and for his recent Twitter purchase, on which he failed to immediately file notice that he was surpassing a 5% stake in the company and thereby bought the additional 4% at a rate lower than that theoretically dictated by SEC rules.
So where do things go now? Reporting from the New York Times and Bloomberg suggests that many Twitter employees are relieved to not have Musk sitting on the board, especially after he spent his weekend trolling the company with tweets like, ‘Is Twitter dying?’ and ‘Twitter should change its name to Titter.’ Meanwhile, speculation abounds as to whether Musk might try to buy more of the company, or even a controlling stake. Twitter’s board of directors has “poison pill” measures in place to defend against a buy-out, but it’s not obvious that Musk is actually interested. At The Verge, Casey Newton suggests that the Tesla CEO’s actions here are all about having very expensive fun being a troll, and the trolling sweet spot might be exactly where Musk stands now–owning the largest share of the company, and able to threaten more.
But we’ll just have to wait and see where this saga takes us. Maybe quantum hackers from the future steal all of his money. Who’s to say! In the meantime, we’re signing off. I’ll leave you with a quick recommendation–if you’re interested in learning more about retro PC keylocks, check out this YouTube video from LGR. It gives a great six minute history of the feature, including some fascinating primary sources from the 80’s.
That’s it for today. Nick will be back with us next week. For now, thanks to Nica for her production wizardry, and thanks to you for watching or listening. Until next time, take care!