S2E12: "Virtual Insanity"

Posted 2017-07-31 03:59
Modified 2017-10-23 02:27
Comments 0

NOTE: Jthan was out sick for this episode so we brought back Forge instead. You may remember him from S1E11, S1E22

In this episode we talk about different virtualization platforms and weigh their pros/cons (along with why and when you SHOULD virtualize).

• News
• Notes
• Sysbadministration Award
• Errata
• Music

News

• r00t^2 will be giving both a talk (on podcasting) and a workshop (on BDisk which I talked about in S2E5) at FOSSCON 2017 – make sure you register (it’s free as in beer!). Augst 26th.
  • paden will be doing an installfest and keysigning there as well
• Ashley Madison is to payout as the result of a lawsuit
• Google 2FA is replacing their SMS codes
• The standard keyboard on the HTC 10 has begun showing advertisements
• Verizon has a database leak (what, you mean again?)
• IOT devices have vulnerabilities that allow remote execution
• Blackhats have infiltrated credit card information from Trump Hotels
• Trump Administration limits use of Kaspersky software
  • We should probably do an episode topic on this at some point…
  • This is the article I was originally referring to. This might also be interesting.
  • The baddie for the DNC leak can be found at S1E19.
• The key to Petya (2016) malware has been released by the author
• Lets Encrypt to offer wildcard certs in 2018.

Notes

Starts at 24m13s.

I was drinking Bulleit 10-year bourbon again. Paden was drinking Miller Light. Forge was drinking Mountain Dew.

• Virtualization platforms
  • Xen – Was a favourite of VPS providers for quite some time
    • Pros: Full virtualization of multi-platform guest operating systems
    • Cons: All but dead at this point, requires non-standard kernel, not being offered at many hosting providers anymore
  • KVM / QEMU – (KVM is optimization kernel module to QEMU) In-kernel, “official”/“standard” GNU/Linux full virtualization platform
    • Pros: Very wide number of guest platform architectures supported, very easy to use and flexible with libvirt/virt-manager/virsh
    • Cons: Complex without libvirt use, takes some knowledge to construct specific hardware profiles if not doing standard x86.
  • bhyve – BSD’s answer to KVM/QEMU, very similar to it.
    • Pros: Allows robust virtualization
    • Cons: No real benefits over KVM/QEMU except BSD usage
  • VirtualBox
    • Pros: Cross-platform hosts supported, great for deploying for developers
    • Cons: Bloated, limited virtual hardware support, Oracle (‘nuff said.)
  • OpenVZ / Virtuozzo, Parallels
    • Pros: Guests run lean
    • Cons: No full virtualization – they’re basically “glorified chroots”, require more hands-on administration
  • Hyper-V
    • Pros: Included in all Windows Servers, fairly robust
    • Cons: Not ideal for mixed or purely *Nix environments
  • VMWare – The “industry standard” for large corporate environments
    • Pros: Most robust support behind it for large corporate environments, browser GUI, vMotion lets you balance hosts
    • Cons: Pain to set up/use, fat client has been deprecated
  • AIX LPARs -
    • Pros: ??? Highly environment-specific
    • Cons: It seems to be unrecommended (IBM seems to be preferring PowerKVM these days)
  • Virtualizing saves time, money (both power and hardware costs), and convenience (turndown/turnup), and lets you turn up new servers almost immediately.
    • But some platforms do require some tech buy-in, and you are down to a single point-of-failure (but on the plus side, it gives you a single point to strengthen stability for).

Sysbadministration Award

In this segment, we highlight system administration mistakes. Think of them as the IT equivalent of the Darwin Awards. (1h00m40s)

B2B USA Businesses has had a leak of 105 million contacts (alerted via haveibeenpwnd.com). For perspective, that’s roughly one third of the US population.

Errata

• Here is some statistics that should help Forge’s claim out re: drinking statistics…
  • And I was off on my statistic re: millenials and wine; it’s actually closer to half (which IS disproportionate!).
• It turns out we didn’t seem to actually talk about the Ashley Madison breach (it would have happened around the middle of season 0)! Oops. I think we avoided talking about it because EVERYONE else was.
• If you don’t know why Paden and Forge laughed at “Command and Conquer IPs”, it’s a pun of Command and Control, referring to the servers that control botnets, etc.
• Diebold machines were actually a big part of a DEF CON workshop!
• Paden never linked me the cert testing site he was talking about, but certbot is what Forge linked me to. It’s the tool used to automate certificate negotiation for Let’s Encrypt.
• If you want to help me test AIF-NG, you can find more info about it in S2E7
• Oops! We didn’t actually DO an episode on production/development environment matching (yet)! It’s on the list of future topics.

Music

Author r00t^2
Categories Season Two