Perl to go

I have been using Perl for more than 20 years now, seen Perl 4 bow out and Perl 5 come in and develop in that fantastic language that has helped me uncountable times in my professional life. During those years I’ve also considered learning another language, but I have been unable to take a stand for a long time.

And there came Go and the hype around Go, just like years ago there was a lot of hype around Java. But while whatever written in Java I came across was a big, heavy and slow memory eater, most of the tools I came across that were written in Go were actually good stuff — OK, still a bit bloated in size, but they actually worked. The opportunity came, and I finally gave Go a shot.

Continue reading


Lies, damn lies, and spammers in disguise

Everyone get so many unsolicited commercial emails these days that you just become blind at them, at best. Sometimes they are clearly, expressly commercial. Other times, they try to pass through your attention and your spam checker by disguising themselves as legitimate emails. I have a little story about that.

A couple of weeks ago I got yet another spammy mail from. It was evidently sent through a mass mailing and, as such, also included an unsubscribe link, however the guy was trying to legitimate his spam by saying that he approached me specifically because a colleague referred me to him; in addition, I felt that some keywords were added to his message only to make it sound “prettier” or even more legitimate.

I usually don’t spend time on spammers, but when I do I try to do it well. And in this occasion I had a little time to spend on it, and I did. On October 30th I was walking to my eye doctor’s while I saw an email notification on my phone. The email said the following (note: the highlights are mine):

I was sent your way as the person who is responsible for application security testing and understand XXXXXX would be of interest to Telenor. To what lies within our next generation penetration testing abilities, XXXXXX can bring to you:
  • Periodic pen tests in uncovering serious vulnerabilities and (lack of) continuous application testing to support dynamic DevOps SDLC.
  • An ROI of 53% or higher with the ability to Identify, locate and resolve all vulnerabilities
  • Averaging 35-40% critical vulnerabilities found overall, others average 28%.
  • Over 500 international top class security researchers deployed in large teams of 40-60 ethical hackers.
We have pioneered a disruptive, ethical hacker powered application testing approach deploying large teams of senior security researchers with hacker mimicking mindsets to rapidly uncover exploits in your applications.
I would like to find some time for a conversation during November, to give you the insight into why Microsoft and Hewlett-Packard Enterprise have invested in us and why SAP is our top global reseller.
Many thanks,
Geoffrey XXXXXX
Business Development Manager

Now, we have our mailboxes on GMail and my usual method of procedure for such spammy crap from clueless salespeople is:

  • block the sender
  • unsubscribe
  • report the mail as spam

But now it’s different: first, this guy is probably trying to legitimate himself with lies for sending shit to me that I had not requested; second, despite the “personal” approach, this was clearly a mass-mailing so the whole story was clearly a lie; third, I am going to sit and wait at the doctor’s for some time. I could invest that time to run down the guy. My reply:

Kindly let me know who sent you my way, so that I can double check that. Then, maybe, we can talk.

The guy replies soon after. New mail, new lie:

Hi Marco,

Apologies for not including that in the email and I am more than happy to say how I got to you.

I have spoken to Ragnar Harper around how this may become beneficial to Telenor and he has mentioned your name during the conversations. As I have been unable to get back in contact with Ragnar I thought it best that I could gain your input into this moving forward by having some time aligned in our diaries to discuss more?

[…additional crap redacted…]

Not only I had never met or talked with any Ragnar Harper: the guy was not in our Company’s ERP. In my eyes, Mr.Geoffrey was lying right down the line. Time to get rid of him:

There is no Ragnar Harper here

Your emails will hereby be blocked and reported as Spam

— MM

You may think he stopped there. Well, he didn’t:

Apologies but I just phoned the switchboard and he left last month.

Above is his linkedin profile as well.
Sorry for the confusion.
So he had this beautiful relation with Ragnar Harper, to the point that they talked together about Geoff’s products and Ragnar pointed him to me as the “person responsible for application security” (which I am not…) and he didn’t even know that Ragnar had left the company. But there is more: to get to know that, he didn’t call Ragnar: he had to call the switchboard and check LinkedIn. Geoff is clearly clutching at straws. My reply:

You just picked up a random name. You are trying to sell me something for security, which should entail a certain amount of trust in your company, and you start the interaction with a lie: not bad for someone moved by an “ethical hacking” spirit.

There can’t be any trust between me and your company. Your messages are already landing in my spam folder and that’s where they shall be. Just go and try your luck with someone else, “Geoffrey”.

The king is naked, they say. Now he gotta stop, you think. He didn’t:

Thank you for your time Marco and I am sorry that you feel that way.

If you believe that it has started on a lie then that may well be your choice as I have been in contact with Ragnar since my days at YYYYYY before joining XXXXXX and we have yet to catch up this month since he has now departed. I shall head elsewhere as requested as that is not the kind of reputation that we uphold here.

Best wishes,


Uh, wait a minute. Did I beat the guy for no reason? Could it be that he actually knew this ex-colleague Ragnar Harper and I am assuming too much? Is it all a misunderstanding? If it is, I want to know and apologise. As said, I had never met or talked to Ragnar Harper, but I can still try to contact him through LinkedIn:

Question from an ex colleague

Hei Ragnar. My name is Marco Marongiu, I am the Head of IT in Telenor Digital. I apologize for bothering you, it’s just a short question: have you referred me to a Sales person called Geoffrey XXXXXX from a Security company called XXXXXX?

This person approached me via email. Long story short, he says he knows you personally and that you sent him my way (to use his words). Is it something that you can confirm?

We two have never met in Telenor so that sounded strange and I handled him as a spammer. But if that is actually true I do want to send the guy my apologies. Thanks in any case

Med vennlig hilsen

— Marco

I am grateful that Ragnar took some time to reply and confirm my suspect: he had never known or met the guy. I thanked Ragnar and stopped talking to “Geoffrey”. At the same time I thought it was a good story to tell, so here we go.



Exploring Docker overlay networks

Docker In the past months I have made several attempts to explore Docker overlay networks, but there were a few pieces to set up before I could really experiment and… well, let’s say that I have probably approached the problem the wrong way and wasted some time along the way. Not again. I have set aside some time and worked agile enough to do the whole job, from start to finish. Nowadays there is little point in creating overlay networks by hand, except that it’s still a good learning experience. And a learning experience with Docker and networking was exactly what I was after.

When I started exploring multi-host Docker networks, Docker was quite different than it is now. In particular, Docker Swarm didn’t exist yet, and there was a certain amount of manual work required in order to create an overlay network, so that containers located in different hosts can communicate.

Before Swarm, in order to set up an overlay network one needed to:

  • have at least two docker hosts to establish an overlay network;
  • have a supported key/value store available for the docker hosts to sync information;
  • configure the docker hosts to use the key/value store;
  • create an overlay network on one of the docker host; if everything worked well, the network will “propagate” to the other docker hosts that had registered with the key/value store;
  • create named containers on different hosts; then try and ping each other using the names: if everything was done correctly, you would be able to ping the containers through the overlay network.

This looks like simple high-level checklist. I’ll now describe the actual steps needed to get this working, leaving the details of my failuers to the last section of this post.

Continue reading

Improving your services, the DevOps way

devops-italiaOn March 10th I was in Bologna for Incontro DevOps Italia 2017, the Italian DevOps meeting organized by the great people at BioDec. The three tracks featured several talks in both Italian and English, and first-class international speakers. And, being a conference in Bologna, it also featured first-class local food that no other conference around the world will ever be able to match.

Continue reading

A quick guide to encrypting an external drive

luks-logoI am guilty for not having considered encrypting my hard drives for too long, I confess. As soon as I joined Telenor Digital (or, actually, early in the process but a bit too late…) I was commanded to encrypt my data and I couldn’t delay any more. To my utter surprise, the process was surprisingly simple in my Debian jessie! Here is a short checklist for your convenience.

Continue reading

No leap second simulations this year

TurnBackTimeAs some of my readers already know, I changed jobs in Novembre: I left Opera Software to join Telenor Digital. We have decided not to run any leap second simulation here, so I am not going to publish anything on the subject this year. You can still refer to the post The leap second aftermath for some suggestions I wrote after the latest leap second we had in June/July 2015.

Good luck!

cf-deploy v2 released

Errata corrige: it’s actually v3! This is what happens when you don’t publish updates for your software for too long…

github-logo I took some time this weekend to release an update for cf-deploy. You have now the option to override the configuration hardcoded in the script by means of environment variables. Check the README for the details.

If you don’t know what cf-deploy is, that’s fair 😉 In two words, it’s a Makefile and a Perl front-end to it that makes it easier to pack together a set of files for a configuration management tools and send them to a distribution server. Designed with git and CFEngine in mind, it’s general enough that you can easily adapt it to any version control system and any configuration management tool by simply modifying the Makefile. If it sounds interesting, you are welcome to read Git repository and deployment procedures for CFEngine policies on this same blog. Enjoy!


cfengine-tap now on GitHub

github-logo Back from the holiday season, I have finally found the time to publish a small library on GitHub. It’s called cfengine-tap and can help you writing TAP-compatible tests for your CFEngine policies.

TAP is the test anything protocol. It is a simple text format that test scripts can use to print out the results and test suites can consume. Originally born in the Perl world, it is now supported in many other languages.

Using this library it’s easier to write test suites for your CFEngine policies. Since it’s publicly available on GitHub and published under a GPL license, you are free to use it and welcome to contribute and make it better (please do).


New leap second at the end of the year

blog-TheTimelord-200A new leap second will be introduced at the end of 2016. We have six months to get ready, but this time it may be easier than before as several timekeeping software have implemented some “leap smear” algorithm, which seems to be a very popular approach nowadays; e.g.: ntpd, the reference implementation for NTP, seems to have implemented leap smear from version 4.2.8p3 onward.

We’ll see how it goes. Until then… test!

Continue reading

How I configure a docker host with CFEngine

DockerAfter some lengthy busy times I’ve been able to restart my work on Docker. Last time I played with some containers to create a Consul cluster using three containers running on the same docker host — something you will never want to do in production.

And the reason why I was playing with a Consul cluster on docker was that you need a key/value store to play with overlay networks in Docker, and Consul is one of the supported stores. Besides, Consul is another technology I wanted to play with since the first minute I’ve known it.

To run an overlay network you need more than one Docker host otherwise it’s pretty pointless. That suggested me that it was time to automate the installation of a Docker host, so that I could put together a test lab quickly and also maintain it. And, as always, CFEngine was my friend. The following policy will not work out of the box for you since it uses a number of libraries of mine, but I’m sure you’ll get the idea.

Continue reading