Kyle Kelley

Break things and enjoy life!

Read this first

No NoSQL

Can we stop saying NoSQL? I’m really tired of describing things by what they’re not.

I’d much rather describe them by what they are.

  • “This is a JSON document store”
  • “This is an object store”
  • “This is a key-value store”
  • “This is a graph database”
  • “This is a distributed table”
  • “This is a thinly veiled attempt at doing something that could have been implemented with Postgres”
  • “This is me not caring about ACID guarantees and calling it statistical sampling”
  • “My filesystem is a key-value store, get off my back”
</rant> 

In reality, I have little experience with most of the systems indirectly mentioned here. I’d like to find the right tool(s) for the job to make development easier, operations less painful, and user experience awesome. Is that so much to ask?


For...

Continue reading →


One Weird Kernel Trick

Hijacking the IPython Notebook’s WebSockets

TL; DR On IPython 1.1, the Notebook server suffered from a flaw where it did not verify the origin of websocket requests. An attacker with knowledge of an active IPython kernel ID could run arbitrary code on a user’s machine with the privileges of the user running the IPython kernel if the client visited a crafted malicious page. This was corrected upstream in the 1.2.0 and 2.0.0 releases.

The IPython Notebook

For those that don’t know, the IPython Notebook is an in-browser application for interactive computing where you can combine code, prose, mathematics, plots, and other rich media into a single document as well as share with peers:

The overall setup makes interactively working with code and data a breeze. Behind the scenes, the browser is communicating with IPython kernels (execution environments) over websockets.

kernel_diagram.png

...

Continue reading →


rm -rf remains

Just for fun, I decided to launch a new Linux server and run rm -rf / as root to see what remains. As I found out, rm lives in the future with idiots like me, so you have to specify --no-preserve-root to kick this exercise off.

# rm -rf --no-preserve-root / 

After committing this act of tomfoolery, great utilities like

  • /bin/ls
  • /bin/cat
  • /bin/chmod
  • /usr/bin/file

will all be gone! You should still have your connection over SSH as well as your existing bash session. This means you have all the bash builtins, like echo.

Becoming Bash McGyver

root@rmrf:/# ls -bash: /bin/ls: No such file or directory 

There is no ls, but echo and fileglobs are still around. What can we do with those?

root@rmrf:/# echo * dev proc run sys # echo /dev/pts/* /dev/pts/0 /dev/pts/3 /dev/pts/ptmx 

Hey, we got to keep /dev, /proc, /run, and /sys. Now that we have ls, we might as well make it a little easier to...

Continue reading →


Bootstrapping a Rackspace Windows Box

There are several projects I want to help out with Windows build automation (at least until Travis CI supports Windows builds) on cloud servers.

Since I’m not familiar at all with managing a Windows Server, let alone Windows security, there are several things I’d like to do:

  1. Stop using Windows and go back to Linux
  2. Launch a fresh server only when we need it
  3. Cordon off the server to a private network

Since 1 isn’t really an option, we’ll just have to lock things down to our best ability and figure out how to manage a Windows Server remotely without having to resort to using Remote Desktop. It turns out the de facto way to do this is to use WinRM (Windows Remote Management).

The Windows Rackspace images (at the time of this writing) don’t have the firewall for WinRM open, so you’ll need to do that yourself. For even further sanity, we can put this...

Continue reading →


The Encrypted Message Service I’m Not Building

Every time I need to share a credential (password, API Key, etc.) for a shared account I’m faced with a dilemma. How do I pass someone a secret, encrypted just for them? Public keys are an obvious choice. What if they’re not using GPG though? What else does a typical developer have? SSH Keys. Armed with the knowledge that Just about everyone has SSH keys GitHub provides public SSH keys at https://github.com/{user}.keys ssh-keygen and openssl are typically available to handle crypt It’s pretty simple to do this. # Get the user's keys, use the last key wget https://github.com/$user.keys --quiet -qO- | tail -n 1 > $pubkey # Convert to a pem file ssh-keygen -f $pubkey -e -m PKCS8 > $pubkey.pem # Encrypt some message openssl rsautl -encrypt -pubin -inkey $pubkey.pem -ssl -in $infile -out $outfile This relies on the fact that you can encrypt something small using...

Continue reading →