From our subscribers.

A postmortem by Mozilla on the recent Firefox outage.

For those services hosted on Google Cloud Platform (GCP) these load balancers have settings related to the HTTP protocol they should advertise and one of these settings is HTTP/3 support with three states: “Enabled”, “Disabled” or “Automatic (default)”. Our load balancers were set to the “Automatic (default)” setting and on January 13, 2022 at 07:28 UTC, GCP deployed an unannounced change to make HTTP/3 the default.

Lessons Learned...

GCP’s deployment of HTTP/3 as default was unannounced. We are actively working with them to improve the situation. We realize that an announcement (as is usually sent) might not have entirely mitigated the risk of an incident, but it would likely have triggered more controlled experiments (e.g. in a staging environment) and deployment.

I'm yet to read this postmortem through.

P.S.: If you want to suggest any interesting materials for this channel, you can always do it in our chat. The chat itself is Ukrainian and Russian speaking.

There has been silence on this channel for a while now. I'm sorry for that. I didn't post anything, because I was not in the mood of doing so.

However, I have a formal excuse as well: I started processing the result of Kubernetes Cluster Operations survey that I had issued a few weeks before. So, expect a write-up soon! I would say "this week", but let's see.

In the meantime, you can read a short fiction story about two students, who are trying to figure out, what it actually means "to listen on a port"?

Cya!

GitHub presented Mermaid - a tool to include diagrams into Markdown files.

Basically, it allows to output a diagram in JS-enabled environments and a Markdown syntax in non-JS environments.

I haven't checked if it already works in READMEs on GitHub, but I assume it should.

#markdown #github #microsoft

CatOps exists for almost five years already as a non-profit hobby project. Yes, at some point we were advertising some technical events here, but we never took money for that.

In my opinion, keeping it independent of ad money is what makes all the fun. I'll be honest with you, from time to time I get ideas of starting a Patreon or something similar, but each time it turns out to be too complicated.

However, there is a way to support CatOps financially! Even though this is an indirect support!

Consider subscribing to the Patreon page of the "Come Back Alive" Foundation or you can, of course, donate directly. They have all the details on their website. Unfortunately, not all the information on the website is translated to English, but the main things are there.

This Foundation supports Ukrainian army as well as establish re-integration programs for the veterans.

By supporting people, who take care of us, you empower us in doing our day-to-day jobs and providing some platform engineering content here.

With love 💛💙
@grem1in

Good engineers ship good software, great engineers empower others to do so.

Become a +10% engineer explores some ways of how one can influence others in a good way and ease the work of entire team.

Yes, the name of this article is a word game with the "10x engineer" phrase. Yet, the main idea is that "Productivity of the team > Productivity of the individual"

#culture

I had an idea of writing something about Terraspace for quite some time now. I might have even had a draft somewhere! But of course, someone wrote it before me :)

Here's an article about Terraspace - a part of series about Terraform ecosystem. Other parts are:
- From Terralith to Terraservice with Terraform
- Terragrunt cheat sheet
- Another part with the comparison between Terragrunt and Terraspace is coming soon, but there are already some source files

I got this article from the Terraform Weekly subnoscription. It's curated by a proud member of our community - Anton Babenko. If you use Terraform in your work, you should definitely subscribe!

P.S. If you still think I should write something about Terraspace, let me know by putting 👍 emoji on this post. If you have more specific suggestions, you're always welcome in our chat (chat is in Ukrainian and Russian)!

#terraform #hashicorp #terragrunt #terraspace

​​Finally I got my things together and published the results of the Kubernetes Survey! Many thanks to everyone, who participated in this survey!

The first part is available in English. Also, you can find it in Ukrainian here.

To be honest, I’m not even sure what was easier: write the original post or translate it, haha.

The second part will be available soon. So, stay tuned!

#kubernetes

Ever wondered, how a TCP connection works in slow-mo?

Here's an article just about that. There's a video as well. The link is in the article.

TBH, would be nice if this article covers not only the basics of TCP, but other features as well. Like RST packets.

Also, here's an interesting investigative read, which is not exactly about TCP, but it's features played thy key role for the investigation. Or this case, that actually happened in my company

#networking #tcp

Back in a day, a friend of mine was ranting that this is not that obvious to spin up a VPN server in Kubernetes as online tutorials suggested.

Now, you can make a Wireguard operator do it for you. I haven't personally tested this operator. Yet, it has some positive comments on Reddit.

#kubernetes #networking

Recently, I asked my subscribers what topics are interesting to them and a few people mentioned observability.

That’s funny, ‘coz yesterday I accidentally bumped into a great series of articles on setting SLAs for your products by Alex Ewerlöf!

- Calculating composite SLA - truly outstanding read!
- Some practical advice when setting SLA - notice, it says SLA, not SLO. So, there are some business related tips in this article as well. However, the core is technical, ofc.
- Calculating the SLA of a system behind a CDN - I haven’t read this one yet. But given the quality of previous two, I expect this one be great as well!

tl;dr for the first article in the list:

for serial, multiply availability; For parallels, multiply unavailability


I would personally also add that when you try to set a “full” SLO(A) for your service, that is also a composite SLO(A). You should treat it as a serial. For example, if you have 99.8% error rate SLO and 99.1% latency SLO, an “overall” SLO would be 0.998 0.991 100% = 98.9%

That’s not only good to know, but you may also want to write your marketing materials differently. There is a difference between:

> We guarantee 99.8% SLO on 5th error rate and 99.1% SLO on requests not taking longer than X milliseconds.

And

> We guarantee the 98.9% availability of our systems.

I’m not a marketing person, though. I don’t know what’s better. What I do know is that:”Nines doesn’t matter, if your users are unhappy”.

#observability #slo #sla

Тримаємося разом, зберігаємо спокій, віримо в ЗСУ!🇺🇦

How to donate to help Ukrainian army❓

We are currently receiving numerous inquiries about our organization's bank details.

We thank everyone who donates and post the bank data for charitable contributions in a separate publication.

Let's win together🇺🇦💪

Transfers from abroad:

📌Fondy.eu: https://pay.fondy.eu/s/1stPBTgMbWTY
Currency of transfer – UAH. If your card currency is not UAH, funds will be withdrawn according to the rate. The commission of 2.7% is paid by the recipient

📌SWIFT
Company Name
CO "INTERNATIONAL CHARITABLE FOUNDATION "COME BACK ALIVE"
IBAN Code (Euro)
UA093052990000026004025029786
IBAN Code (U.S. dollar)
UA173052990000026009035028620

📌 Name of the bank
JSC CB "PRIVATBANK", 1D HRUSHEVSKOHO STR., KYIV, 01001, UKRAINE
Bank SWIFT Code
PBANUA2X
Purpose of payment:
Charitable donation to Ukrainian military

📌Bitcoin Wallet
Number: bc1qkd5az2ml7dk5j5h672yhxmhmxe9tuf97j39fm6

♥️If you want to support foundation «COME BACK ALIVE» team:

1) CO «INTERNATIONAL CHARITABLE FOUNDATION COME BACK ALIVE"
IBAN: UA793052990000026001045003547
ЄДРПОУ: 42046152
Payee:
Громадська організація «ПОВЕРНИСЬ ЖИВИМ!»
Purpose of payment: Благодійна пожертва на статутну діяльність.
2) Patreon: https://www.patreon.com/savelife_in_ua

Dear tech community,

I found an interesting link on Reddit:

https://www.reddit.com/r/ukraine/comments/t0m50l/how_to_use_hoic_high_orbit_ion_cannon_to/

I will copy the text here for convenience.

How to use HOIC ("High Orbit Ion Cannon") to stress-test websites that are owned by you, and you alone, and that are absolutely not owned by russian entities.

So, for no particular reason I feel like explaining how to use the piece of software called HOIC to stress-test websites that you own.


# Introduction

HOIC, or "High Orbit Ion Cannon" is a piece of software that can be used to stress-test websites and other online services. What it does is it simply sends a bunch of requests to a URL that you specify. It is the successor to "LOIC", or "Low Orbit Ion Cannon", which was used by the hacktivist collective Anonymous during Operation Payback to bring down websites of entities that fought against internet freedoms.

It is available on [SourceForge](https://sourceforge.net/projects/highorbitioncannon/) and has been classified as malware because it can be used in a malicious manner. LOIC is also [available on the same website.](https://sourceforge.net/projects/loic/)

To properly stress-test a website that you own, you would likely either need to own several computers on different networks, or have a bunch of friends that could help you by targeting the same website/IP-address.

# Be wary

If you decide that stress-testing websites is something that you would like to do, I would suggest that you personally make sure that you do in fact trust the software. In these times, we need to be wary, and there is no way for you to know that I am not a malicious actor promoting actually malicious software.


When attempting to unzip the tool, Windows Defender will give you two malware warnings, "DDoS:VBS/Hoic.A" and "HackTool:Win32/Hoylecann.A"

You can read what Microsoft has to say about this tool on the following links:

[https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-denoscription?Name=HackTool:Win32/Hoylecann.A](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-denoscription?Name=HackTool:Win32/Hoylecann.A)

[https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-denoscription?Name=DDoS:VBS/Hoic.A](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-denoscription?Name=DDoS:VBS/Hoic.A)

# How to use HOIC

Honestly, it's really fucking simple. The most difficult part is allowing the software through your antivirus software.


1. Download the zipped up archive from sourceforge. The link can be found above. Seeing as SourceForge detects malware in the software, you have to go through an extra click.
2. Unzip the archive.
3. If you're on windows, Windows Defender will likely stop you. If you are sure you know what you're doing and you want to proceed anyways, you'll have to click the notification, click the threat "DDoS:VBS/Hoic.A" and select "Allow on Device" followed by "Start actions".
4. Click "Yes" to confirm the action using admin privileges.
5. In the prompt for moving/copying files, press "try again". If you've already closed that prompt, you can simply unzip the file again. This time it should let you.
6. Once you've successfully unzipped the archive, open the folder "Hoic" and run "hoic2.1.exe"
7. Press the "+" button under "TARGETS"
8. Enter the URL that you wish to stress-test, e.g. "[https://somewebsite.org](https://somewebsite.org)" or "[https://www.rt.com](https://www.rt.com)"
9. Make sure you actually own the website that you target. Targeting someone else's website might very well be illegal, and could cause problems for the website and its' users.
10. Set "Power" to whatever you prefer. The higher you put it, the more pressure will be put on the target. Setting it higher might trigger counter-measures more easily, so you might want to keep it at Low or Medium in order to properly test whether your website still manages to detect the attack etc.
11. I'm not sure how to use Booster, so either figure it out yourself or leave it blank
12. Click "Add".
13.

Set "Threads" to the number of threads you would like to use. Higher = more pressure, and probably easier for your countermeasures to detect.
14. Again: Make sure you actually own the website that you target. Targeting someone else's website might very well be illegal, and could cause problems for the website and its' users.
15. If you (for whatever reason) get the stupid idea to ever target a website that you do not own (DO NOT DO THAT), potentially consider maybe using a VPN or something? (But only if using a VPN is legal in your country)
16. Press "FIRE TEH LAZER!"
17. Do the same thing on your other computers, or have your friends help out. Make sure they all enter your website's URL as their target.

# Request for hackers & developers

I have a feeling that there might very well be a lot of people out there who want to stress-test websites that are owned by themselves, themselves alone, and definitely not by russians, but that might not be comfortable installing software that is classified as malware.

As such, it would be absolutely wonderful if someone could create and host a web-based (preferrably open-sourced) alternative. I'm not sure how doable it is, but if it's possible, I'm sure people would find it very useful.

Long live Ukraine!

There are also tools like Vegeta, if you don't try SourceForge. It's on GitHub and written in Go

https://github.com/tsenart/vegeta

‼️Увага

❗Проти українців почалася фішингова атака! На електронні адреси громадян надходять листи з прикріпленими файлами невизначеного характеру.

Не виключено розсилки подібних повідомлень в месенджери.

Ворожі сили мають на меті отримати доступ до електронних пристроїв українців для збору великого масиву інформації!

🛑В ЖОДНОМУ РАЗІ НЕ ВІДКРИВАЙТЕ ВМІСТ ТАКИХ ЛИСТІВ ТА ПОВІДОМЛЕНЬ!!!
Пам'ятайте про кібергігієну!

Коротко по тому, що турбує.
Це війна, в тому числі кібер- та інформаційна. Сприймайте та реагуйте лише на інформацію з офіційних джерел.
Телеграм не приватний месенджер, а онлайн база даних всього, що хтось в ній колись передавав.
Будь-які канали повідомлень (чати, канали, пабліки, сторінки та акаунти в соціалках), які контролюються або можуть контролюватися агресором, зараз повинні бути вимкнені. Вони можуть бути й будуть використані для поширення вірусів, проникнення у критичні системи, створення плацдарму для подальших атак. Імейл, СМС, повідомлення від незнайомців, підозрілі повідомлення від знайомих – все треба тверезо фільтрувати, проте краще ігнорувати ніж розбиратися.
Найголовніше: не поширюйте неперевірені дані, не залипайте на стрічку новин, не панікуйте.
Не клацати й не відкривати нічого бездумно! Правила особистої кібергігієни: https://github.com/sapran/dontclickshit
Поради з кіберзахисту для організацій (прошу вибачення, не встиг перекласти на українську): https://bsg.tech/blog/cyber-security-advice-for-small-business/

To my international subscribers here.

All the information on this channel on this channel these days will be dedicated to the brave Ukrainians, who fiercly defend their homeland.

Here we will have some info that can help people on the front lines, in the cities under siege, and to combat an agressor online as well.

Some of this information won’t be in English, because I think the speed of spreading it is more important that a translation. Thank you for understanding!

We must unite on all fronts!

Слава Україні! 💛💙

❗️УВАГА!❗️
Запускаємо міжнародну інформаційну кампанію до західних лідерів: канцлера Німеччини Олафа Шольца, президента Франції Еммануеля Макрона, президента США Джо Байдена та прем'єр-міністра Великої Британії Бориса Джонсона з 3-ома вимогами:
1. відрізати Росію від SWIFT;
2. захистити український повітряний простір;
3. направити війська НАТО в Україну.

*#BanRussiafromSwift #CloseTheSky #SendNatoToUkraine*


Чому це важливо?
1. Відрізавши рф від SWIFT, ми б’ємо по всій рф, суттєво ослаблюючи противника.
2. “Закривши” повітряний простір над Україною, тобто забезпечивши його безпеку, Захід різко змінює розклад сил в Україні. Наразі наші перемагають на суходолі, але програють в повітрі.
3. Відправивши військовий контингент НАТО в Україну, є шанс зупинити війну.

*Алгоритм дій:*

*Twitter*

1. Опублікувати твіт

Dear @OlafScholz @EmmanuelMacron @JoeBiden @BorisJohnson Please #BanRussiafromSwift #CloseTheSky #SendNatoToUkraine


*Facebook*

1. Зайти на офіційну сторінку Олафа Шольца, Еммануеля Макрона, Джозефа Байдена, Бориса Джонсона у Facebook.

https://www.facebook.com/olafscholz/
· https://www.facebook.com/EmmanuelMacron
· https://www.facebook.com/joebiden
· https://www.facebook.com/borisjohnson

2. Під кожним постом писати коментар:
Ban Russia from SWIFT! Protect Ukrainian Sky! Send NATO to Ukraine! #BanRussiafromSwift #CloseTheSky #SendNatoToUkraine

3. Опублікувати аналогічний до коментарів пост на своїй сторінці.


*Instagram*

1. Опублікувати пост та сторіз із текстом:

Dear @bundeskanzler @emmanuelmacron @joebiden @borisjohnsonuk Please #BanRussiafromSwift #CloseTheSky #SendNatoToUkraine

*Завтра буде пізно - дійте зараз. Разом сила!*

ПОШИРТЕ ЦЕ ПОВІДОМЛЕННЯ І ДОЛУЧАЙТЕСЬ