Reading recommendations (2018-05-18)

Posted on Fri 18 May 2018 in reading recommendations

Recently I’ve spent a lot of time playing Ni No Kuni 2: Revenant Kingdom and some Tomb Raider, in addition to one of my classics, Cook, Serve, Delicious! 2. I’ve also taken some time to revisit Final Fantasy Tactics Advance 2: Grimoire of the Rift, my favorite title for the DS.

I’ve also discovered Crunchyroll which is an awesome service which lets you stream licensed anime for free, legally. I’ll happily disable my adblocker for that service — though I do find it curious that the ads I get are so strange. Sometimes they don’t load at all. Sometimes I get the same clip six times in a row. So far I’ve checked out Black Clover, Darling in the FRANXX, Restaurant to Another World and Interviews with Monster Girls. Sadly, some series are not available in my region.

Interviewing for a successor

Posted on Fri 11 May 2018 in work • Tagged with Institute for Computer Vision and Computer Graphics

I left my job at the ICG in March 2018. One of my last tasks there was helping in searching for a successor for my position whom I could hand over my responsibilities with as little worries as possible. I updated the same job posting that had been used to announce the opening when I applied and updated it with new phrasing. I wanted to emphasize that a lot of learning can be done on the job. Experience in the comprehensive list of open source technologies the institute uses was a definite plus but I was certain that a minimum of understanding of Linux, good written and spoken English as well as the willingness to learn were enough to grow into the job. After all, usually people apply who do not have all qualifications matching your list but some that are not on the list and help them anyway.

I wanted to make sure that we had as much of an objective method to judge the applicants as possible — therefor I put together a questionnaire containing two real life scenarios as well as a short list of bonus points. These questions were discussed with the applicants and I decided which topics were sufficiently answered. I held the entire technical part of each interview.

I want to point out that my goal was not — as some of my colleagues joked — to create a test which one could “pass” or “fail”. I simply wanted to measure applicants by a more meaningful measure than “they were good” or “they were ok”. I had the hope that my scenarios would give us a heads-up whose technical knowledge was better if applicants were subjectively close to each other.

Section 1 - VM diagnosis & rescue

You have a physical machine running a Hypervisor (e.g. Xen) and a virtual machine running a Debian based Linux distribution (e.g. Ubuntu). You notice that the VM has stopped checking in with your monitoring solution. What do you do?

- contact via SSH
- check if the machine is listening (e.g. `ping`, `nmap`)
- check if the machine is running (e.g. `xl list`, `xl top`)
- send out notice that you're working on said machine (*bonus*)

The initial step of the diagnosis is for steps one can take really quickly. I accepted solutions that did not name command line utilities suggested if they served a similar purpose (e.g. VBoxManage would be fine). Bonus questions give additional points that can raise the score above the maximum points of a given question.

You have established that the machine is indeed not running. When you tried to restart the machine via the hypervisor, it is showing activity in the hypervisor output but it is neither accessible remotely (via SSH) nor does it show up in the monitoring solution. What are your next steps?

- check log files
  - host logs => there is nothing relevant in them
  - guest logs
  - centralized logging solution (*bonus*)
- try starting the machine with more verbose output from the hypervisor (*bonus*)
- check with some tool that displays screen of VM (e.g. VNC with SSH forwarding, `virt-manager`)

The second step is trying to figure out the cause of the issue after having verified the issue in step one.

You realize that the machine is not booting. It looks like a problem with GRUB but you are not entirely sure. You’d like to access the guest logs, just to be sure. The guest’s entire disk is a LVM logical volume mounted directly into the VM by the hypervisor. How do you proceed?

- find a tool to mount the logical volume on the host
  - read-only (*bonus*)
  - `kpartx` (*bonus*)
- check the logs in `/var/log/syslog` and similars in `/var/log`. Check `/var/log/dpkg.log`.

Step number 3 is to make reasonably sure it is a problem that has surfaced due to a problem with GRUB and has not been triggered by something else entirely.

The chance that it is a GRUB problem is more likely than ever. How do you proceed to try and fix the VM?

- boot from ISO (or remount read-write on host)
- `boot-repair` (*bonus*)
- reinstall GRUB

The last step of the first scenario deals with an actual attempt at fixing the VM. The infrastructure at ICG is built in a way that makes repairs more feasible than spinning up and configuring new machines without data loss.

Open question: What do you think could be the cause of such an issue?

No points were given for this question, but I noted down what the applicants came up with and commented on the likeliness of their thoughts, so they had some immediate feedback.

Section 2 - Server best practices

You have a service that you need to provide to the whole internet (or rather, your colleagues who are currently abroad). It has at least one component accessible by a web browser and one more component (e.g. SSH, IMAP, POP) that needs to be protected. How would you make reasonably sure that things are protected?

- protect the web service with a TLS certificate [and encryption]
- redirect port 80 to 445 to always enforce encryption
- implement a rate limit against brute force attacks (e.g. `fail2ban`, builtin software)
- have the server update the software on its on (or have a way to be notified of updates, e.g. mail, RSS)
- implement a backup strategy [and test it]
- provide VPN access or suggest using TU VPN and restrict firewall settings (*bonus*)
- **set up monitoring for aforementioned things**

The server best practices section was my attempt to get a feel for what the applicant knows about operations. While the previous scenario revolved around troubleshooting, this one is focused on knowledge and understanding of running servers in production. This was a question where I almost always received additional answers to the ones I hoped for.

Section 3 - Short questions

Do you have any experience with:

- Git
- Continuous integration (e.g. GitLab CI, Jenkins)
- Configuration management (e.g. Puppet, Chef, Salt)
- standard monitoring tools (e.g. Nagios, Sensu, Elastic products)
- NFS and auto-mounting
- web servers (e.g. Apache, Nginx)
- debugging software not written by you (e.g. Python code that shipped with your distribution)

This last section of questions aims to establish which topics the applicant might need training in order to fully understand and utilize existing ICG infrastructure.


After careful review of all applicants and their technical skills and demonstrated understanding of systems in use I gave an informed recommendation on whom to hire. I had the — very short — opportunity to introduce my successor to the most critical systems. For everything else they will have to rely on the documentation I wrote, their team members and their own skillset.

I certainly wish them all the best.

Ljubljana 2018 (BSides Ljubljana)

Posted on Sat 24 March 2018 in journeys

Going to Ljubljana for BSides Ljubljana 2017 was comparatively without troubles, not counting my scheduling difficulties resulting in several annoying waiting times.

Day 1

I took the train from Graz and read a book I had previously purchased but never read, as I usually do when trying to pass time. When the scheduled arrival time came I was a bit nervous as I feared I might have missed my stop. Several minutes after the scheduled time I still didn’t hear an announcement saying the next stop would be Ljubljana. Nervousness turned into slight annoyance. By now I just assumed I had either missed the stop - which was bad - or the train was delayed - which was slightly less bad. I didn’t need to catch a connection. It just meant the people responsible for the appartment would have to wait even longer for me though.

I left the train and wondered why the train station would be so small. In retrospect I only saw the underground and the back exit on that day. The actual train station is larger, though not especially large. It’s also a short walk away from most of the tracks, which was part of the reason for my confusion.

Since - obviously - leaving the train station through the wrong exit does not lead one directly to waiting taxis, I had no luck there. So I asked Google Maps to find me an ATM and plot a route to my accomodation. The suggestion included a bus ride with pricing information for the bus. Upon entering I saw people paying with a contactless card. No one paid in cash as it is common in Graz. I asked the bus driver but he waved me away, so I took a seat, next to a helpful information panel. Said panel happened to spell out the usage instructions for the contactless payment but not where to get such a card.

Once I arrived at the loft - Tobacna Red - it really was as nice as the reviews and images had suggested. I don’t remember asking my contact for information about the Urbana bus cards which was an oversight. I ventured out to find something to eat and asked in a kiosk for the tickets because I had read earlier on the Internet that you could “get them basically everywhere”. So, yeah, newsflash. Don’t believe everything on the Internet, regardless of how nicely made the site is. Anyway, the friendly lady at the kiosk couldn’t help me and I had happened to find a resident whose English wasn’t up to explaining me where to go either though she clearly understood what I meant.

I had lunch at Meta in Bazilika where the hint from the waiter not to take the “wok risotto” should’ve been a clue not to eat there. Or the fact that despite the nice weather both the garden and the interior were completely empty.

I’m honest, the wok risotto… don’t take that. It’s just not good.

Well, thanks for that, but neither was the risotto with turkey and tomatoes. Now, I’m not a cook, so what do I know… but you might want to try seasoning the turkey next time. Or making the risotto actually creamy. However, the waiter also gave me the hint that the Urbana card was available “in the center”.

After venturing there, I found a tourist information spot which sold the cards. Paid €2 for the card and €5 for an initial charge. Then I walked up the castle hill but by the time I was done taking some pictures and having an initial walk around the castle it was too late to go inside with only 20 minutes remaining.

View of some part of Ljubljana, taken from the castle hill in the afternoon sun

A tower as part of the castle in Ljubljana, Slovenia

So, down into the old parts of the town it was. I fancied a cake and looked around until I found a restaurant with great looking Tiramisu visible from outside. Sadly, the waiter told me he could not sell me the Tiramisu. It was reserved for dinner guests and official dinner hours wouldn’t start until later. However, he pointed me to a café which serves great cakes. I checked out Slaščičarna pri Vodnjaku. The cake made with Nutella and bananas was delicious. The tea was… okay I guess. I have rarely had fruit tea that was that sour though - not sure what was in there. I even ventured back to the restaurant to thank the waiter for his suggestion after checking whether he was currently busy. That earned me another recommendation - Le Petit Cafe which served excellent breakfast, according to him. Now, breakfast isn’t really my time of day, but this opinion slightly changes when it’s served until 1 PM.

After that I was getting tired, so I grabbed a Sub for later and headed home. By foot, since the route planner didn’t suggest any buses. After checking I realized why. Going by foot was 12 minutes. Waiting for the next bus would’ve been 24 minutes. Getting over that annoyance was several days.

Day 2


Due to sleepiness I only attended the last few seconds of the BSides keynote even though the event was literally in the next building. Also, before I forget, the videos have been archived at If you want to watch just one talk, make it “The consequences of bad security and privacy in healthcare” by Jelena Milosevic.


The first talk I attended was Security Automation in CI pipeline. I considered most of the lessons from there obvious, but this is after working as a developer and as an admin with a CI pipeline I built due to personal interest. Basically if things can be automated to avoid problems, let’s try to automate them. I don’t think many companies have existing pipelines in place that allow for testing security in a reproducable and automated way. Of particular interest to me was the way this was suggested in the talk.

The (GitLab) pipeline had a test stage, a deploy-to-staging stage, ran the security tests against staging and afterwards deployed to production. I like this idea but am somewhat curious how much delay this seperation adds. I usually try to increase parallelism and would’ve preferred an approach in which the security testing isn’t adding 2 mores stages. My preference for this is because stages are run sequentially while jobs in the same stage can be run in parallel. (Gitlab terminology and CI doc)


I listened to the last words from the first talk in track 1 since my talk ended early. The presenter had to defend his work and lecture since no one outside the corporate/government environment actually felt the need to decrypt QUIC and TLS 1.3 traffic. I sat down for Trape – the evolution of phishing attacks.

I don’t think I know quite enough about how phishing attacks and persistence on machine are typically done to properly evaluate the use of Trape. Quite frankly, while the automated profiling of social media and general website accounts seemed handy, they didn’t impress me. Yes, that was certainly convenient but I hardly found exploitation of browser implementation details from a local server all that exciting.


The consequences of bad security and privacy in healthcare was my favorite talk this BSides. It wasn’t purely technical nor was it theoretical. Instead, it was a window into how hospital IT security is often run. Opsec as seen in reality. Some of the results where really bleak and quite frankly, horrifying in terms of possible implications for abuse of power, abuse of data or loss of data.

Here’s a quote - which I note from my memories instead of the stream, so it might not be entirely accurate:

So, I asked them, have they upgraded all systems and secured all things properly. And they answered, yes, of course, everything is fine. But then you find a blood bank running on Windows XP.

These are the scenarios that make you shiver as someone with even a faint interest in information security. Mission critical infrastructure running on an OS of which even the successor has already been retired.


There was pizza. Pizza is the default for BSides events from what I’ve seen so far, except when you’re in the land of pizza in which case there’s a mixed buffet arranged by a catering firm.


Someone made a joke up front how the Docker security talk would probably be short. It was. It was extremely short and disappointing. I joined the talk in the hope of learning something valuable that might be substantial to gaining an understanding of the security aspects of a technology I had almost no experience with yet.

There are two sides to this talk: One was great and one was depressing. The depressing part was how the advice for Docker security came down to three bullet points:

  • don’t use --privileged
  • don’t mount the Docker socket inside the container
  • don’t use the docker group and prefer usage of sudo instead

I have furthermore been told that this should’ve been extended by at least:

  • drop the root privileges in the container
  • if possible
  • as soon as possible

Now, the cool part of this was that the speaker demonstrated the ways each of these flaws could be used to gain root on the host. Frankly speaking, that these kind of configurations might be deployed to production are a bit terrifying.


The speaker in How (not) to fail as a security professional [Lessons learned] has been working in InfoSec, development and administration for years and shared some advice how to fail. While the talk was indeed very entertaining and certainly helpful, I don’t remember a good lot of it. One should think that not being an asshole and never stopping to learn would be a good starting point for people in any career. Also, writing articles about individual talks several weeks after the talk without any notes isn’t particularly easy…


The keynote speaker, Finux threw up an impromptu version of the third part of his privacy focussed lecture. I’ll be frank, I didn’t like part 1 a lot in 2016. However, I was positively surprised by the content and the blend of disciplines in this one. The impact of architecture on the concept of privacy was a fascinating topic I’d probably never have considered getting informed about.

CSides, so to say

After listening with a sharp mind for the whole day I wanted some relaxation and went to one of the fancier restaurants. I wasn’t exactly sure what to go for, but ended up in Vander restaurant, eating boar and fancy dessert. The city is lovely in the evening - even when it was pitch dark, people were still out and about, huddling around heating lamps and enjoying their drinks near the river. The atmosphere was amazing and I struggle to imagine how nice it has to be when it’s not too cold for my taste. Ljubljana’s cafés also happened to have fruit tea in stock which was a huge step up from my Rome visit. ;)

Shot across the river, people sitting around heating lamps in front of a brightly lit bar, shot taken during the dark of the night

Day 3

I checked out at 11:00 and sat around until 16:00 when my train left back for Graz. The weather wasn’t suited for grand adventures given that there was constant slight rain that made the perceived temperature drop. I’m already constantly cold, so no need to stay outside longer than necessary in suboptimal conditions. Still, I was inclined to check out the café and headed there. I arrived and it was packed. Even the tables on the outside below big umbrellas with heating lamps were full.

Resorting to the Café Lolita where I had seen the waiter juggling the evening before, I had the most delicious Black Forest cake I’ve ever tasted. I orded that with “hot chocolate” and was pleasantly surprised when I actually got hot chocolate instead of the regular cocoa. As an aside, I order hot chocolate since I’m used to getting cocoa and the term seems to be more common in the foreign countries I’ve been to yet than just cocoa.

A rectangular dish with a small piece of Black Forest cake. Behind the dish a cup with liquid brown chocolate

Since I sat there for several hours, I also had non-alcoholic punch which was very tasty. I liked the berries and mandarin oranges a lot. I wholeheartedly recommend this place.

Of course, no place is perfect.

I realize I’m the stupid tourist her[e] but wouldn’t you want to label your restrooms in your prime location cafe in a way that is somewhat clear to foreigners? ~Alexander Skiba (@ghostlyrics), March 11, 2018

A tall glass filled with red punch. It has fruits swimming in the punch

After some more sitting around and waiting I finally walked to the train station, all the while looking for some kind of food place along the way. None of them tickled my fancy, so I boarded hungrily and made for the dining car after a while. Food there was rather plain, but I liked the open car. The low chair backs and plush seats combined with large panorama windows reminded me of the Murder in the Orient Express movie that had impressed me last year.

A wide open dining car with cozy benches the low backs of which offer a great view of the scenery through panorama windows

As an aside, I did check out the train station hall and noticed something that would’ve helped me a lot on my first day: Of course, the tourist information point inside the train station would have been the other viable option for purchasing an Urbana card. Had one realized that there was a main building. Had one bothered to check inside.

Reading recommendations (2018-02-19)

Posted on Mon 19 February 2018 in reading recommendations

I spend most of my time with Final Fantasy XII recently which has been remastered for PC and is as great as I remember. Some light reading, novels and writing job applications are what the rest of my free time was invested in. Apart from that I continue to play Final Fantasy XIV but I write about that from time to time anyway.

Final Fantasy XIV: Stories of Departures

Posted on Mon 29 January 2018 in video games • Tagged with Stories

This wasn’t an easy post to write but I still needed to get it out. You can ignore the following while muttering #mmoproblems to yourself. I won’t fault you. I’d still appreciate if you kept on reading though.

Kakysha lying in bed and contemplating

I have been thinking. There’s an aspect to playing an online game that was somewhat unexpected to me - you bond with people even though you don’t personally know them. You log in every so often and run with the same crowd (yes, I totally typoed that into “crown” at first). You check in with the regulars from your Free Company (read: guild). You have a set of people in your friends list. Maybe you have some additional linkshells (read: private group chats) that you like to visit every so often.

There’s a certain comfort in seeing familiar… well, not exactly faces. You meet avatars, fantastical characters that sometimes make you forget you’re there together with real people. For every player character there’s a person sitting somewhere behind a keyboard or a gamepad (well, almost, but botting is technically against the TOS).

I’m not a person to bond or trust easily. That’s just my personality. The interaction by proxy, like the ingame avatars makes things much, much easier though. I can still be witty, make stupid jokes, annoy others with inappropriate comments and help them all the while. But if I decide to cease interaction, that’s easier too. That’s the part where your brain tricks you into thinking even people you have spent many hours with are not important because they’re “hidden” behind characters.

I have watched the ebb and flow of people in our FC. FFXIV is a highly cooperative game, so you feel the impact of fellow players not being around anymore. It’s not necessarily that you’re losing. It’s the feeling of loss despite achieving your goals. The lessened atmosphere. The absence of a familiar friendly face.

This post was prompted by someone whom I consider a good friend leaving the FC. But the thoughts behind it have been true for a while now.


Whenever people leave I wonder what their reasons were. Were they unhappy? Did they get into an argument? Did their friends wander off? Or perhaps something else alltogether?

I try to talk to people, then. Yes, talking is hard, I get that. However, I consider not trying a personal failure. It’s not that I have the need to convince people to return. My curiousity drives me to learn their reasons for leaving so that perhaps the FC can be a more friendly place in the future with fewer reasons for members to leave.


I remember a while ago when a group of friends left. They were open to discussion and it was clear from the beginning that the group had only sought temporary refuge at The Black Crown. Them leaving to start up their own Free Company was a decision that was given a lot of thought. They are still open to communication and it was a pleasure to host them as long as it lasted.

I remember someone leaving who was a roamer. It’s hard to quantify how many of players are this type of person, but they did not stay long in any FC. They even said so up front and close to no one gave it a lot of thought when they left, eventually. It hit a bit harder when their partner in crime left because they had earlier stated they would not leave together, but it wasn’t completely unexpected either.

I remember talking to Kakysha’s big brother at length why he left his previous FC, how he talked about a feeling of not belonging and why he preferred to play in solitude for a while. I think he described it as feeling alone in a crowd. I’ve suggested back then that perhaps it was not the right crowd for him while at that time not directly inviting them into our FC because I felt that was tactless. I merely stated he was welcome should he ever want to join. Kakysha and her brother rarely meet - Eorzea is a big world after all, but they enjoy each other’s company tremendously.

Kakysha discussing important issues with her bigger brother in Kakysha's room

I remember my honored friend leaving with neither farewell nor complaint. It still hurts. I inquired for their reasons and received a vague answer that perhaps it was due to an argument or something that another person might have said. Polite inquiry would not reveal a more concrete answer and I respect my friend too much to be nosier, even though I’m implictly required to be since my recent promotion to a leadership position in the FC. I was merely saddened that they neither tried to talk to leadership nor the person(s) in question. Without pointing out what exactly was wrong and talking through both actions and consequences, how can we strive to improve the trust and respect that I feel we owe our members? How can I try to provide sprouts (read: newcomers still in the early stages of the game) as comfortable a home as the Seraphs provided me when I was full of disappointment about my previous FC?

Should you read this, friend, good bye but not farewell. Know that you have a place at Crown, should you want to return.


Kakysha sends her greetings from Tamamizu where’s she’s still trying to gain the favor of the Kojin people so they grant her permission to obtain a striped ray. She’s looking forward to meeting the Ananta people though because she heard they are breeding elephants. Our favorite adventurer loves elephants. She said to tell you she’s sorry this isn’t a more story-heavy post.