I was particularly curious what the bpfdoor surface area looked like, and if it was easy it was to detect using existing open-source tools and common Linux command-line utilities.
To experiment, I used my favorite VM manager on macOS or Linux for this analysis: Lima, with the default Ubuntu 22.10 image.
In the 1930s, Vinzenz Grünvogel designed the Wehrmacht-Einheitskanister: an ingenious container that was stackable, carried liquid without spilling and was easy to carry. The design was so popular that nations around the world copied it, and in the United States, it became known as a “Jerry Can” (Jerry being slang for “German”).
A few Saturdays ago, I ventured to central North Carolina to join the local ADVrider crew for lunch as part of the confusingly named “Eastern Nc Advrider Dinner” thread. I took my trusty BMW CE-04 along – a quirky urban electric scooter (and the most fun I’ve had on two wheels).
While the trip was only 138 miles of backroads (an absurd amount for any GS owner), that's a fair journey on a scoot that only averages 62 miles of range in this environment. This trip includes:
Today I will teach you how to roll your own detection of a classic Linux kernel rootkit using shell scripting (for explanation) and osquery (for production).
Your chance of encountering a Linux kernel rootkit in the wild is slim due to compatibility and distribution challenges, so this explanation is geared toward the most paranoid folks in the audience. For this demonstration, we'll use reveng_rtkit – one of the more modern examples of a Linux rootkit.
As of February 2023, this reveng_rtkit runs well on Debian, so I used lima with limactl start template://debian to create my test environment.
A couple of weeks ago, I had the misfortune of breaking the indicator light off my BMW CE 04 scooter. It was through no fault of its own, I just underestimated the amount of suspension travel when mounting a bicycle on the back of it using the 2x2Cycles Moto Bicycle Carrier.
Give yourself 3-4 hours to perform these steps as it can require the removal and reinstallation of up to 25 bolts. Even if you are generally bad at mechanical things, this is an entirely doable procedure with the correct tools.
As part of my duties at Chainguard, I maintain an osquery based detection pipeline. As an open-source first company, we naturally open-sourced our production queries as part of the osquery-defense-kit. When new Malware reports are released, I'll typically consume them to gather ideas for improving the effectiveness of our queries.
With the new year upon us, Objective See recently published a retrospective report on the most interesting Mac Malware of 2022. This was an excellent opportunity to review the evidence to see which queries are the most effective. I am additionally thankful that Objective See publishes Malware binaries for additional review, as some of the evidence this report relies on had to be extracted from the original binaries.
For years I’ve had New Year’s resolutions to commit to blogging. This year isn’t any different!
So, what is different? For one, I feel I have more to share with the world now. I recently moved back to North Carolina, took up motorcycling again, and have professionally refocused on computer security.
In a surprising turn of events, Twitter recently torched its community goodwill and has suffered a massive brain drain. While this has been felt most acutely in the computer security industry, other groups, such as journalists, have also moved to Mastodon. I’ve tried my hand at Mastodon too, and while it’s been a good way to connect with more local personalities, it still feels a bit empty and hollow.
The post-Twitter shift has made room for a nascent renaissance in distributed social media and even blogging. There's been a clamor for folks to Start a Fucking Blog. Feeds are back en vogue, even if they have taken on a new flavor: ActivityPub.
Now blogs such as this one have ActivityPub feeds, which means they can be followed on Mastodon (this one is @thomrstrom@unfinished.bike). Even a decade after it was declared dead, RSS is still around and Feedly is as good as ever.
It remains to be seen what will be done with this next-to-new-found-land.
While preparing for my first week at Chainguard, the CEO mentioned that I should order my own laptop. As a ~15 person startup, there isn't an IT department to handle these sorts of things.
In 2022, the default laptop of choice for a software engineer working on cloud infrastructure is the Apple M1 Powerbook. They hit nearly all the checkboxes: a great screen, powerful CPUs, and battery life that is the envy of any laptop in their class. The arm64 based Macs are fantastic: in fact, I'm typing this from my personal M1 MacBook Air. Ever the contrarian, I however felt that:
What if you could easily reduce the length of outages by 3X?
According to the SRE book, “recording the best practices ahead of time in a playbook produces roughly a 3x improvement in MTTR”. This improvement mirrors my experience with well-written playbooks.
In my experience as a software engineer and a software engineering manager, I’ve found that the best way to motivate software engineers is with empathy, purpose, and a sense of craftsmanship. Conversely, the most effective way to demotivate a software engineering team over the long term is with excessive process and deadlines.
Let’s dive a little bit deeper into the levers I’ve found that work in motivating software engineers into doing their best work:
