Nuffing.com

This blog post will discuss the issues and solutions for MySQL Data at Rest encryption.
Data at Rest Encryption is not only a good-to-have feature, but it is also a requirement for HIPAA, PCI and other regulations.
There are three major ways to solve data encryption at rest:
Full-disk encryption
Database-level (table) encryption
Application-level encryption, where data is encrypted before being inserted into the database
I consider full disk encryption to be the weakest method, as it only protects from someone physically removing the disks from the server. Application-level encryption, on the other hand, is the best: it is the most flexible method with almost no overhead, and it also solves data in-flight encryption. Unfortunately, it is not always possible to change the application code to support application-level encryption, so database-level encryption can be a valuable alternative. Sergei Golubchik, Chief Architect at MariaDB, outlined the pluses and minuses of database level encryption during his
Sergei Golubchik, Chief Architect at MariaDB, outlined the pluses and minuses of database level encryption during his session at Percona Live Amsterdam:
Pros
Full power of DBMS is available
Full power of DBMS is availableEasy to implement
Easy to implementOnly database can see the data
Only databases can see the dataPer-table encryption, per-table keys, performance
Per-table encryption, per-table keys, performanceCannot be done per-user
Cons
Cannot be done per-user
Does not protect against malicious root user
Data at Rest Encryption: Database-Level Options
Currently, there are two options for data at rest encryption at the database level:
MariaDB 10.1.3+ support encryption (using Google patch)
MySQL 5.7.11+ (and Percona Server 5.7.11) has InnoDB tablespace level encryption
MariaDB’s implementation is different from MySQL 5.7.11. MySQL 5.7.11 only encrypts InnoDB tablespace(s), while MariaDB has an option to encrypt undo/redo logs, binary logs/relay logs, etc. However, there are some limitations (especially together with Galera Cluster):
No key rotation in the open source plugin version (MySQL 5.7.11 has a key rotation)
mysqlbinlog does not work with encrypted binlogs (bug reported)
Percona XtraBackup does not work, so we are limited to RSYNC as SST method for Galera Cluster, which is a blocking method (one node will not be available for writes during the SST). The latest Percona XtraBackup works with MySQL 5.7.11 tablespace encryption
The following data is not encrypted (bug reported)
Galera gcache + Galera replication data
General log / slow query log
Database level encryption also has its weakness:
Root and MySQL users can read the keyring file, which defeats the purpose. However, it is possible to place a key on the mounted drive and unmount it when MySQL starts (that can be scripted). The downside of this is that if MySQL crashes, it will not be restarted automatically without human intervention.
Both MariaDB version and MySQL version only encrypt data when writing to disk – data is not encrypted in RAM, so a root user can potentially attach to MySQL with gdb/strace or other tools and read the server memory. In addition, with gdb it is possible to change the root user password structure and then use mysqldump to copy data. Another potential method is to kill MySQL and start it with skip-grant-tables. However, if the key is unmounted (i.e., on USB drive), MySQL will either not start or will not be able to read the encrypted tablespace.
MariaDB Encryption Example
To enable the full level encryption we can add the following options to my.cnf:[mysqld]
plugin-load-add=file_key_management.so
file_key_management_filekey = FILE:/mount/keys/mysql.key
file-key-management-filename = /mount/keys/mysql.enc
innodb-encrypt-tables = ON
innodb-encrypt-log = 1
innodb-encryption-threads=1
encrypt-tmp-disk-tables=1
encrypt-tmp-files=1
encrypt-binlog=1
file_key_management_encryption_algorithm = AES_CTRAfter starting MariaDB with those settings, it will start encrypting the database in the background. The file_key_management plugin is used; unfortunately, it does not support key rotation. The actual keys are encrypted with:# openssl enc -aes-256-cbc -md sha1 -k <key> -in keys.txt -out mysql.encThe encryption <key> is placed in /mount/keys/mysql.key.
After starting MySQL, we can unmount the “/mount/key” partition. In this case, the key will not be available and a potential hacker will not be able to restart MySQL with “–skip-grant-tables” option (without passwords). However, it also prevents normal restarts, especially SSTs (cluster full sync).
Additional notes:
Encryption will affect the compression ratio, especially for the physical backups (logical backups, i.e. mysqldump does not matter as the data retrieved is not encrypted). If your original compressed backup size was only 10% of the database size, it will not be the case for the encrypted tables.
Data is not encrypted in flight and will not be encrypted on the replication slaves unless you enable the same options on the slaves. The encryption is also local to the server, so when encryption was just enabled on a server some tables may not be encrypted yet (but will be eventually)
To check which tables are encrypted, use the Information Schema INNODB_TABLESPACES_ENCRYPTION table, which contains encryption information. To find all tables that are encrypted, use this query:
select * from information_schema.INNODB_TABLESPACES_ENCRYPTION where ENCRYPTION_SCHEME=1
MySQL 5.7 Encryption Example
To enable encryption, add the following option to my.cnf:[mysqld]
early-plugin-load=keyring_file.so
keyring_file_data=/mount/mysql-keyring/keyringAgain, after starting MySQL we can unmount the “/mount/mysql-keyring/” partition.
To start encrypting the tables, we will need to run alter table table_name encryption=’Y’ , as MySQL will not encrypt tables by default.
The latest Percona Xtrabackup also supports encryption, and can backup encrypted tables.
To find all encrypted tablespaces in MySQL/Percona Server 5.7.11, we can use information_schema.INNODB_SYS_TABLESPACES and the flag field. For example, to find normally encrypted tables, use the following query:mysql> select * from information_schema.INNODB_SYS_TABLESPACES where flag = 8225G
*************************** 1. row ***************************
SPACE: 4688
NAME: test/t1
FLAG: 8225
FILE_FORMAT: Barracuda
ROW_FORMAT: Dynamic
PAGE_SIZE: 16384
ZIP_PAGE_SIZE: 0
SPACE_TYPE: Single
FS_BLOCK_SIZE: 4096
FILE_SIZE: 98304
ALLOCATED_SIZE: 98304
*************************** 2. row ***************************
SPACE: 4697
NAME: sbtest/sbtest1_enc
FLAG: 8225
FILE_FORMAT: Barracuda
ROW_FORMAT: Dynamic
PAGE_SIZE: 16384
ZIP_PAGE_SIZE: 0
SPACE_TYPE: Single
FS_BLOCK_SIZE: 4096
FILE_SIZE: 255852544
ALLOCATED_SIZE: 255856640
2 rows in set (0.00 sec)You can also use this query instead: select * from information_schema.tables where CREATE_OPTIONS like ‘%ENCRYPTION="Y"%’;.
Performance overhead
This is a debatable topic, especially for the MariaDB implementation when everything is configured to be encrypted. During my tests I’ve seen ~10% of overhead for the standalone MySQL instance, and ~20% with Galera Cluster.
The MySQL 5.7/Percona Server 5.7 tablespace-level encryption shows an extremely low overhead, however, that needs to be tested in different conditions.
Conclusion
Even with all the above limitations, database-level encryption can be a better option than the filesystem-level encryption if the application can not be changed. However, it is a new feature (especially MySQL 5.7.11 version) and I expect a number of bugs here.
via Planet MySQL
MySQL Data at Rest Encryption

We’ve noted how Tennessee is one of twenty states that has passed state laws, quite literally written by companies like AT&T, prohibiting towns and cities from wiring themselves with broadband — even if nobody else will. When the FCC announced it would be taking aim at these protectionist broadband laws last year, Tennessee politicians threw a hissy fit, suing the FCC for "violating states rights." That incumbent ISPs are being allowed to write awful state law that’s hampering a generation of business development in the state? Not apparently much of a concern.

As an unsurprising result, Tennessee remains one of the least connected broadband states in the nation, and state residents have increasingly been giving beholden state politicians an earful. Those who can, like Tennessee developer John "Thunder" Thornton, have started taking matters into their own hands and building their own gigabit networks. To do so, Thorton had to get the aid of a power cooperative in Alabama, a state that has a slightly less restrictive municipal broadband law in place:

"Unable to gain high-speed broadband at what he deemed an affordable price from AT&T or Charter Communications and limited from service extensions from EPB’s ultra-fast Internet in Chattanooga, Thornton created his own Internet service provider last year. The private developer spent more than $400,000 to build his own fiber network and link it with a power cooperative in Stevenson, Ala., where fast broadband is available."

According to Thorton, the money he spent to wire his hilltop development cost a third of what AT&T was charging:

"Thornton said when he approached AT&T about providing Gig service to Jasper Highlands he was quoted a price of $1.3 million to serve his mountaintop development — more than three times what it ended up costing Thornton to build his own network connected to Alabama.

"Our costs are much less, but then I don’t have to pay for 27 lobbyists in Nashville like AT&T does," Thornton quipped.

So yeah, Tennessee lawmakers have done such a bang up job letting AT&T write awful state telecommunications law, state residents are being forced to spend their own money to get broadband at a relatively sane price. Sadly, most of the people that can’t get decent broadband can’t afford to go Thorton’s route. And while you’d think the cacophony of complaints from Tennessee residents would be enough to get some movement in the state legislature after a decade, all recent efforts to overturn the state’s protectionist law have gone nowhere.

Tennessee’s law prevents a popular Chattanooga-based utility-run ISP, EPB, from expanding its up to 10 Gbps offerings into any more markets. But attempts to repeal the law earlier this year went nowhere after mammoth pressure from incumbent ISP lobbyists. When that didn’t work, one lawmaker tried to pass a compromise bill that would have allowed EPB to expand into just one neighboring county. That proposal was shot down as well, one of the dissenting votes being that of Rep. Patsy Hazlewood, a former AT&T executive.

That leaves the FCC as the best, current option in getting some of these miserable laws overturned.

As it stands, the FCC is arguing that Section 706 of the Telecommunications Act allows it to preempt state laws that conflict with the agency’s Congressional mandate to guarantee "reasonable and timely" broadband deployment. While there’s twenty such laws, the FCC is currently trying to overturn just two: in Tennessee and North Carolina; the hope being the legal precedent then rolls downhill. But both states have taken the FCC to court, bravely defending their right to take campaign contributions — in exchange for protecting incumbent broadband providers from necessary and inevitable evolution.

Permalink | Comments | Email This Story

via Techdirt.
Tennessee Man Builds His Own Gigabit Network Thanks To State’s Protectionist Broadband Law

Here’s how parents of kids with rare disease found what may be blockbuster drug.
via Ars Technica
Sweet drug clears cholesterol, reverses heart disease—and was found by parents

There’s plenty of advice out there about how to make it in Silicon Valley. Some things are required for innovation success anywhere in the world, but the valley is a special place with different rules. As someone who’s spent a lot of time there, I think there are a few important elements to Silicon Valley’s success that others should know about if they’re trying to bring their ideas to life there.
Be Helpful: Successful People Help Others
You hear a lot these days about “corporate greed,” but even with so much money and prestige centered in Silicon Valley, the overall attitude of people there is very generous.…
via Phil McKinney
What Is The Silicon Valley Secret Sauce For Innovation Success?

via kottke.org
Rogue One: A Star Wars Story

Non-Newtonian fluids are liquids that are also sort of solid but also sort of neither but also sort of both? They’re very thick liquids or very giving solids, depending on what you want to call it. That’s why they’re so fun to do science experiments with. The Backyard Scientist went and filled up balloons with non-Newtonian fluids and ripped a chainsaw through them, shot a BB-gun at them, and fired off a golf ball cannon at them too.

He wanted to compare how non-Newtonian fluid would react vs regular ol’ water in the same situation. Let’s just say the non-Newtonian fluid explosions were so much better (and they acted like a solid).

SPLOID is delicious brain candy. Follow us on Facebook, Twitter, and YouTube.

via Gizmodo
What Happens When You Shoot a Golf Ball at a Balloon Filled with Non-Newtonian Fluid?

No matter where you travel, you want your hotel room to be a place you can take a load off and relax. It’s hard to do that, however, if you don’t feel comfortable and safe. This hotel safety checklist from a former CIA operative can help.

Drew Dwyer, a Marine veteran and former CIA operative, has seen his fair share of travel around the world—including some not-so-safe places for travelers. If you plan on seeing all of the world and want to stay safe, Dwyer shares his personal hotel safety checklist at SOFREP.com:

1. Acquire or make a copy of the fire escape plan on the back of your door. Most of these just slide out.
   
2. Do not stay on the ground or the top floor. The ground floor is readily accessible to intruders and the top floor does not allow any room to maneuver. The first or second (European) floors allow access for most third world country emergency vehicles.
   
3. Keep the “Do Not Disturb” sign on the door, even when you are not there.
   
4. Always assume the room is bugged. Keep the radio or TV turned on with the volume on low at all times — even when you are not in the room.
   
5. Keep the drapes/blinds pulled at all times, even when unoccupied.
   
6. Keep a light on in the room when unoccupied.
   
7. Keep a small “bug-out bag” packed with must-have items (money, ID, passport, etc.) in the event of an emergency departure.
   
8. Carry a motion alarm that can be placed over the doorknob. They are about $20 and can be found in most electronics stores.
   
9. Keep a flashlight next to the bed and within arm’s reach.

Some of this might seem like overkill for most travelers (especially the bugging bit), but it’s good information to know just in case. You can find more great world travel safety tips at the link below.

http://ift.tt/1S3kXYN…

The CIA Operative’s Guide to Safe Travel | SOFREP via Entrepreneur

Photo by McKay Savage.

via Lifehacker
A Hotel Safety Checklist for World Travelers From a Former CIA Operative

via kottke.org
An honest trailer for The Force Awakens

Netflix had some 75 million paying subscribers around the world—but how many of those people are getting the most out of their subscription? You can supercharge your viewing experience with these browser extensions and online apps that will take your Netflix game to a whole new level.

Extensions

Flix Plus by Lifehacker: a Chrome extension packed with tweaks from our good friends at Lifehacker, offering random episodes, customized lists, blocks for potential episode spoilers, fades for titles you’ve already seen, extended search and lots of other cool stuff.

Netflix Party: This Chrome extension enables you to watch Netflix remotely with friends. It introduces a group chat window down the right of the interface and keeps playback in sync between machines so you’re all watching the same scenes together.

NEnhancer: This Chrome extension adds a few bells and whistles on top of the core Netflix experience, including pop-up ratings, links to trailers, the option to show or hide categories on the front screen, and a random episode button (previously on Field Guide).

OttoPlay: A very handy (and free) Chrome extension that lets you watch Netflix like it’s running on an old-school cable (essentially adding the illusion of channel-surfing capabilities on top of the platform). It’s one of our favorite plug-ins for Netflix.

Super Browse: Did you hear Netflix has a ton of hidden category codes? Super Browse is a simple browser extension for Chrome and Firefox that unhides them and saves you having to guess the numerical code for each subcategory that you’re interested in exploring.

Super Netflix: Extra tools during playback are focus of this Chrome extension. It lets you adjust video quality on the fly, introduce custom subtitles, and get on-screen diagnostics with a click. It’s smooth and simple and feels very much like a native set of features.

Websites and online apps

FlickSurfer: if you’re stuck for something to watch, and you’re getting no joy out of Netflix’s recommendation algorithms, try FlickSurfer (a site we’ve covered in the past). Movies and shows can be filtered by actor, genre, rating, awards and more besides.

Flixed: As you’re probably aware, Netflix content differs wildly from country to country. Flixed lets you search by region with one click of the mouse, so you can check up on what you’re missing out on—or see the shows and movies you can watch on your next holiday.

JustWatch: This site and app covers pretty much every video-on-demand service currently out there—Not just Netflix. It’s a helpful tool for seeing exactly what’s available (use the ratings slider to make sure you’re just seeing the good stuff). This is another one of our favorites.

Leanflix: Leanflix isn’t a tool built exclusively for Netflix, but it can help you narrow down your streaming viewing choices based on critic scores, IMDB ratings, year of release, genre, MPAA rating and more besides.

Netflix Roulette: As you might expect, Netflix Roulette chooses something random for you to watch on the streaming service. You can filter by rating, director, actor, keyword, and type of content (movie or show) if you don’t want something completely random.

New On Netflix: This is another listings site, but one that’s more comprehensive than the others. The real strength of New On Netflix is its catalog of what’s old on Netflix—it has an up-to-date list of everything that’s leaving the platform in the coming days so you can watch it before it’s gone.

What Is My Movie?: The experimental What Is My Movie? isn’t specifically tailored for Netflix, but it can work out what film you’re talking about based on a natural language description (like “Tom Hanks is young”). Give it a try and be hugely impressed by its accuracy.

What Is On Netflix?: The What Is On Netflix? site looks similar to a lot of other streaming directories, but it has two important features in its favor—it lets you see all the new stuff with a couple of clicks and comes with apps for Android and iOS you can use on your mobile devices.

[Header image: Gil C/Shutterstock.com]

via Gizmodo
14 Netflix Hacks to Help You Binge Like a Pro