8 stories
·
0 followers

Seven Years

9 Comments and 34 Shares
[hair in face] "SEVVVENNN YEEEARRRSSS"
Read the whole story
spongbeaux
35 days ago
reply
popular
38 days ago
reply
Share this story
Delete
8 public comments
chrisrosa
38 days ago
reply
😢
San Francisco, CA
rjstegbauer
39 days ago
reply
Touching and beautiful! One of your best.
alt_text_bot
39 days ago
reply
[hair in face] "SEVVVENNN YEEEARRRSSS"
ameel
40 days ago
reply
<3
Melbourne, Australia
MaryEllenCG
40 days ago
reply
::sniffle::
Greater Bostonia
kyleniemeyer
40 days ago
reply
😭
Corvallis, OR
marcrichter
40 days ago
reply
Awesome. I'm speechless.
tbd
deezil
40 days ago
reply
OKAY I'M CRYING AT MY DESK NOW.
Louisville, Kentucky
sfrazer
40 days ago
God damnit, Randal.
deezil
40 days ago
For those that don't know the whole story: Approximately 7 years ago (imagine that) Randall posted this on the blog https://blog.xkcd.com/2010/11/05/submarines/ and made some vague references to tough times in the comics. On in to 2011, he posted this on the blog, and things seemed to be scary but hopeful. https://blog.xkcd.com/2011/06/30/family-illness/ . He's made mention several times about it over the years inside the comics, and I really believe that "Time" was made for some express purpose as to get his emotions out. But this update seriously is making a grown 32 year old man weep openly at his desk (thankfully I have a door that closes), as I always wondered how things were. Things look good, and this makes my heart happy.

Delivering Safer Apps with Windows Server 2016 and Docker Enterprise Edition

1 Share

Windows Server 2016 and Docker Enterprise Edition are revolutionizing the way Windows developers can create, deploy, and manage their applications on-premises and in the cloud. Microsoft and Docker are committed to providing secure containerization technologies and enabling developers to implement security best practices in their applications. This blog post highlights some of the security features in Docker Enterprise Edition and Windows Server 2016 designed to help you deliver safer applications.

For more information on Docker and Windows Server 2016 Container security, check out the full whitepaper on Docker’s site.

Introduction

Today, many organizations are turning to Docker Enterprise Edition (EE) and Windows Server 2016 to deploy IT applications consistently and efficiently using containers. Container technologies can play a pivotal role in ensuring the applications being deployed in your enterprise are safe — free of malware, up-to-date with security patches, and known to come from a trustworthy source. Docker EE and Windows each play a hand in helping you develop and deploy safer applications according to the following three characteristics:

  1. Usable Security: Secure defaults with tooling that is native to both developers and operators.
  2. Trusted Delivery: Everything needed to run an application is delivered safely and guaranteed not to be tampered with.
  3. Infrastructure Independent: Application and security configurations are portable and can move between developer workstations, testing environments, and production deployments regardless of whether those environments are running in Azure or your own datacenter.

Usable Security

Resource Isolation

Windows Server 2016 ships with support for Windows Server Containers, which are powered by Docker Enterprise Edition. Docker EE for Windows Server is the result of a joint engineering effort between Microsoft and Docker. When you run a Windows Server Container, key system resources are sandboxed for each container and isolated from the host operating system. This means the container does not see the resources available on the host machine, and any changes made within the container will not affect the host or other containers. Some of the resources that are isolated include:

  • File system
  • Registry
  • Certificate stores
  • Namespace (privileged API access, system services, task scheduler, etc.)
  • Local users and groups

Additionally, you can limit a Windows Server Container’s use of the CPU, memory, disk usage, and disk throughput to protect the performance of other applications and containers running on the same host.

Hyper-V Isolation

For even greater isolation, Windows Server Containers can be deployed using Hyper-V isolation. In this configuration, the container runs inside a specially optimized Hyper-V virtual machine with a completely isolated Windows kernel instance. Docker EE handles creating, managing, and deleting the VM for you. Better yet, the same Docker container images can be used for both process isolated and Hyper-V isolated containers, and both types of containers can run side by side on the same host.

Application Secrets

Starting with Docker EE 17.06, support for delivering secrets to Windows Server Containers at runtime is now available. Secrets are simply blobs of data that may contain sensitive information best left out of a container image. Common examples of secrets are SSL/TLS certificates, connection strings, and passwords.

Developers and security operators use and manage secrets in the exact same way — by registering them on manager nodes (in an encrypted store), granting applicable services access to obtain the secrets, and instructing Docker to provide the secret to the container at deployment time. Each environment can use unique secrets without having to change the container image. The container can just read the secrets at runtime from the file system and use them for their intended purposes.

Trusted Delivery

Image Signing and Verification

Knowing that the software running in your environment is authentic and came from a trusted source is critical to protecting your information assets. With Docker Content Trust, which is built into Docker EE, container images are cryptographically signed to record the contents present in the image at the time of signing. Later, when a host pulls the image down, it will validate the signature of the downloaded image and compare it to the expected signature from the metadata. If the two do not match, Docker EE will not deploy the image since it is likely that someone tampered with the image.

Image Scanning and Antimalware

Beyond checking if an image has been modified, it’s important to ensure the image doesn’t contain malware of libraries with known vulnerabilities. When images are stored in Docker Trusted Registry, Docker Security Scanning can analyze images to identify libraries and components in use that have known vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database.

Further, when the image is pulled on a Windows Server 2016 host with Windows Defender enabled, the image will automatically be scanned for malware to prevent malicious software from being distributed through container images.

Windows Updates

Working alongside Docker Security Scanning, Microsoft Windows Update can ensure that your Windows Server operating system is up to date. Microsoft publishes two pre-built Windows Server base images to Docker Hub: microsoft/nanoserver and microsoft/windowsservercore. These images are updated the same day as new Windows security updates are released. When you use the “latest” tag to pull these images, you can rest assured that you’re working with the most up to date version of Windows Server. This makes it easy to integrate updates into your continuous integration and deployment workflow.

Infrastructure Independent

Active Directory Service Accounts

Windows workloads often rely on Active Directory for authentication of users to the application and authentication between the application itself and other resources like Microsoft SQL Server. Windows Server Containers can be configured to use a Group Managed Service Account when communicating over the network to provide a native authentication experience with your existing Active Directory infrastructure. You can select a different service account (even belonging to a different AD domain) for each environment where you deploy the container, without ever having to update the container image.

Docker Role Based Access Control

Docker Enterprise Edition allows administrators to apply fine-grained role based access control to a variety of Docker primitives, including volumes, nodes, networks, and containers. IT operators can grant users predefined permission roles to collections of Docker resources. Docker EE also provides the ability to create custom permission roles, providing IT operators tremendous flexibility in how they define access control policies in their environment.

Conclusion

With Docker Enterprise Edition and Windows Server 2016, you can develop, deploy, and manage your applications more safely using the variety of built-in security features designed with developers and operators in mind. To read more about the security features available when running Windows Server Containers with Docker Enterprise Edition, check out the full whitepaper and learn more about using Docker Enterprise Edition in Azure.

Read the whole story
spongbeaux
138 days ago
reply
Share this story
Delete

Analysis: How Lewis Hamilton could catch Schumacher’s win total and those feuding Force Indias

1 Comment
The Belgian Grand Prix set the pulse racing at several points, despite being another race with a serious lull in the middle. Highlights were Fernando Alonso’s opening lap, the pass by Daniel Ricciardo on Valtteri Bottas at the restart after the late Safety Car, Vettel’s attempt to do the same with Lewis Hamilton in the […]
Read the whole story
spongbeaux
148 days ago
reply
But... Can Toto not see that Wehrlein's star has faded? I'm not sure anyone's really keen on him any more.
Share this story
Delete

Elite Dangerous introduces super-rad alien encounter

1 Comment

Thargoid alien spacemen have arrived in Elite Dangerous [official site], following a string of hints and discoveries, and they look pretty flipping cool. Players can now encounter a whopping great Thargoid ship in a scripted sequence with all the mystery and threat I’d want from first contact (well, in this game) with an alien civilisation who consider me so far beneath them. Here, come watch a meeting with the spacemen. … [visit site to read more]

Read the whole story
spongbeaux
380 days ago
reply
Better yet: they leave this as a standalone encounter, then introduce a completely different set of aliens and technology, and these guys are never seen or heard from again...
Share this story
Delete

My top five F1 drivers of the 2016 season

1 Comment
It’s that time again when it is time to take a deep breath and pick the Top 5 Drivers of 2016. This is a tradition on this site going back to 2009, when the site first took off and this year is by far the most difficult to choose of the eight seasons to date. […]
Read the whole story
spongbeaux
394 days ago
reply
Agree mostly with JA's ordering on this one. Maybe Fernando up a spot.
Share this story
Delete

SHA-1 deprecation countdown

1 Comment

The SHA-1 hash algorithm is no longer secure. Weaknesses in SHA-1 could allow an attacker to spoof content, execute phishing attacks, or perform man-in-the-middle attacks when browsing the web. Microsoft, in collaboration with other members of the industry, is working to phase out SHA-1. We have outlined our timeline for SHA-1 deprecation in earlier posts, most recently in April. This post is to clarify some of our most commonly asked questions, and to help you test ahead of time.

Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Though we strongly discourage it, users will have the option to ignore the error and continue to the website.

This will only impact SHA-1 certificates that chain to a Microsoft Trusted Root CA. Manually-installed enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend for all customers to quickly migrate to SHA-256.

Additional information on Microsoft’s overall SHA-1 deprecation plans can be found on TechNet.

Screen capture showing Microsoft Edge when browsing to a site protected with a SHA-1 certificate

Microsoft Edge will display an invalid certificate warning when browsing to a site protected with a SHA-1 certificate

Frequently asked questions

How can I test if my site will be impacted?

By installing the latest November 2016 Windows Updates, including the November 2016 Preview of Monthly Quality Rollups for Windows 7/Windows 8.1, you can test how your site will be impacted by the February 2017 update.  Please note that the Windows 7 and Windows 8.1 updates are currently offered as Optional Updates on Windows Update, and are expected to be promoted to Recommended Updates on December 13th, 2017. You can test by running the following commands from an Administrator Command Prompt:

First, create a logging directory and grant universal access:

set LogDir=C:Log
mkdir %LogDir%
icacls %LogDir% /grant *S-1-15-2-1:(OI)(CI)(F)
icacls %LogDir% /grant *S-1-1-0:(OI)(CI)(F)
icacls %LogDir% /grant *S-1-5-12:(OI)(CI)(F)
icacls %LogDir% /setintegritylevel L

Next, enable certificate logging and SHA-1 blocking:

Certutil -setreg chainWeakSignatureLogDir %LogDir%
Certutil -setreg chainWeakSha1ThirdPartyFlags 0x80040004

Important: Use the following commands to remove the settings after you have completed your testing.

Certutil -delreg chainWeakSha1ThirdPartyFlags
Certutil -delreg chainWeakSignatureLogDir

How will other Windows applications and older versions of Internet Explorer be impacted?

Third party Windows applications that use the Windows cryptographic API set and older versions of Internet Explorer will not be impacted by the February 2017 changes by-default.

How will SHA-1 client authentication certificates be impacted?

The February 2017 update will not prevent a client using a SHA-1 signed certificate from being used in client authentication.

What about cross-signed certificates?

Windows will only check if the thumbprint of the root certificate is in the Microsoft Trusted Root Certificate Program. A certificate cross-signed with a Microsoft Trusted Root that chains to an enterprise/self-signed root would not be impacted by the changes planned for February 2017.

― Alec Oot, Senior Program Manager
― Jody Cloutier, Senior Program Manager

Read the whole story
spongbeaux
424 days ago
reply
No more SHA-1 website certificates! (not public ones, anyway)
Share this story
Delete
Next Page of Stories