Spectre & Spell

Publicado el Sunday 1 April 2018

If you read our news, it is very likely that you have some form of interest for information technologies and as such, it is equally likely you heard about the infamous Intel vulnerabilities known as Spectre and Meltdown along with the tremendous cohort of processors they impact.

Needless to say, TuxFamily had a look at these issues in particular. And, like many other companies and associations, we wondered "what's next?". After all, despite their well-deserved media coverage, Spectre and Meltdown are but successors to row hammer and INTEL-SA-00086 and surely, things cannot end here, right? It felt natural to conclude that we have recently entered some form of dark period, the extent of which ought to be counted in years, characterised by a strong focus of all security-related I.T. professionals on hardware vulnerabilities. Basically, everything we discovered (vulnerabilities), learnt, improved and strove to prevent (good design and coding practices, security audits, peer reviews, etc.) in the latest 20 years is to be done again in the realm of hardware. Another way to put it is: one way or another, we are probably going to be betrayed by every existing piece of I.T. hardware in the coming years. It would be tempting to detail what would (and hopefully will) put an end to this era of misery, but this is not the point of this piece of news.

The main point is: TuxFamily is moving out of x86 processors. For various reasons, we cannot afford to wait until every piece of hardware was deemed a threat to our mutualised infrastructure. Instead, we have to move on, even if that implies to design our own machines. And guess what? This is exactly what we intend to do, thanks to our main sysadmin also being a professional electronics engineer. After further investigations about what sounded like a crazy idea at first, we eventually found the perfect brick to start building the perfect architecture TuxFamily had never dared to dream about. And this brick happens to be... the glorious TMS5100!

Surely, we do not expect all of our beloved hostees to react to that technical name. But we surely expect our plan to suddenly make a lot more sense after we rephrase it this way: we intend to rebuild TuxFamily's infrastructures based on Speak & Spell devices!

A good old Speak & Spell (picture by FozzTexx under CC BY-SA 4.0).

Think about it: thanks to their simple design (no notion of rings, no fancy MMU, etc.), not a single hardware vulnerability has ever been registered for these chips. That's right, not a single human ever had to utter "ah, crap, we have to handle the TMS5100 F00F bug ASAP". THAT is what we call "reliable foundations".

And this is where we need you! As of today, all of this remains a theoretical project; we are light-years, if not parsecs, away from our goal. To bootstrap this engineering endeavour, we do not need money (we still have plenty since the association officially moved to the Cayman islands) but we need a total of 3,261 Speak & Spell devices. Alas, we only have 1 for the moment (well, technically, we have two, but a member of the staff refused to let go of his device, claiming it was sacred and he was still using it on a daily basis and we had no right to take it by force and we would have to write our damn news ourselves if we did so). We have no doubt that some of you still have such devices in their basement and are willing to help us achieve hardware independence. Therefore, please quickly mail us your Speak & Spell devices to the following address:

TuxFamily - Spectre & Spell project
1, Rue du Ciel Étoilé
F-75000 Paris

Serge, our favourite intern, will be in charge of receiving, checking, registering, labelling, storing and/or dispatching the precious devices. All languages (English, Spanish, French, German, Italian, Japanese) and variants (e.g. Speak & Read and Speak & Math) are accepted, and all donators will receive weekly updates reflecting our march towards a better future. Do not hesitate, donate now!

With your help, we should be able to replace our infrastructures in a matter of just a few years. Of course, hostees should expect a transition period marked by very slight losses of performance compared to the current infrastructure. But surely, this almost painless transition should be long buried and forgotten by the time the I.T. hardware industry put their products back on track with regards to security.

Edit: as many of you had guessed, it was of course our traditional April Fools' prank. As severe as hardware vulnerabilities can be, we are too lazy to design and build our own hardware and therefore do not actually need your Speak & Spell devices. If by chance you insist on sending us your Speak & Spell, please contact us to get our actual postal address; indeed, the one mentioned above is based on Santa Claus' postal address (the French variant transposed in Paris to be specific) and none of you wants to mess with Santa's after-sales service, right?

Network outage

Publicado el Friday 12 January 2018, a 15:44 UTC

We are currently experiencing a network outage on all of our main services. We don't know what happened yet, we will keep you in touch. Secondary services (mx2, ns2, …) are up.

Edit: We are back online since 16:25 UTC.

Air conditioning failure

Publicado el Monday 26 June 2017, a 22:55 UTC

We are currently experiencing an outage of some services due to an air conditioning failure, we'll keep you in touch.

Edit 2017-06-27 08:40 UTC: Oh dear, there is still an ambient temperature of about 50 °C, everything is down since all our storages tripped on critical overheat condition.

Edit 2017-06-27 12:41 UTC: Good, they managed to stabilize the temperature around 45 °C, which is below critical point, we restarted everything.

The Tux Hunter

Publicado el Saturday 1 April 2017

Hey, it's April Fools' Day! As you are reading this, most websites on the Internet are publishing some kind of joke, hoping nobody within their audience notices today's date. Which actually gets kind of complicated in those harsh times where almost every human gets access to the Internet through an NTP-regulated smartphone. Ah, what a wonderful time to be alive!
This year, at TuxFamily's, we decided not to do any prank; historically, we have used April Fools' Day to threaten our estimated hostees with various calamities, downtimes and heretic decisions; what kind of hoster would do that each and every year to their hostees? That sounds inhuman. Are we inhumane? No we're not. That's why this year, instead of a silly joke, we provide you with the closest you can get to a guided tour within the TuxFamily universe, namely the infrastructures and the staff behind your favourite hoster.

Let's start with the infrastructures: our main datacenter is located in Poo, a charming town in the Indian state of Himachal Pradesh:

Our main machine room, during dry season:

These guys are former interns who, alas, left us too early during the latest monsoon.

For redundancy purposes, we have three other datacenters in Nowhere, Oklahoma. All three can be seen on this picture, with engineers about to lay an additional optical link to the first one:

This is our network backbone; as you know, TuxFamily lives on your donations and thus always strives to save money by NOT purchasing useless stuff such as fancy racks or needlessly long cables.

It would be boring to present you with pictures of all of our servers, so instead let's focus on our most powerful machine, which is also the one we check, inspect and clean most often.

Similarly, you probably do not really care what we use to work: still, here is a picture of Xavier's workstation:

and another one of Sylvain's workstation:

But enough hardware! Surely, we are proud of our infrastructures, but we never forget how useless they would be without the true magic brought by our dream teams:

First, let's introduce our PR (Public Relations) team, i.e. the guys we send to various events such as RMLL, Solutions Linux, etc. to represent TuxFamily and explain how great it can be for you:

(yes, that was "bring your child at work"-day).

By the way, they happen to be the people whom you could have rented for a night if our last year's idea of a "service that will enable you to bid for your favorite TuxFamily staff member" had become a reality. Too bad nobody liked the idea.

As you probably know already, people convinced they ought to be hosted by TuxFamily have to submit a description of their project, which is reviewed by our moderation team:

Yes, these are the guys who either accept or reject your demands. Similarly to the PR team, they all have extensive knowledge of communication and human "sensibilities" and are so dedicated to their task they sometimes travel and "knock" to the rejected candidates' doors to better explain why the project was rejected and why it is, alas, "strictly unnecessary to further insist". And that, ladies and gentlemen, is why it is so important to fill your exact residential address in TuxFamily's panel!

Of course, it would be unforgivable to forget our sysadmins! Always deeply concerned with privacy matters, be it for your data or for themselves, they expressed the wish to remain anonymous while still providing a nice group photography:

These guys are the ones who, thanks to our state-of-the-art monitoring systems, wake up at 4:37 in the morning to extinguish the fire that started at 22:12.

Last and clearly the least is Serge, our latest intern, whom we appreciate less for his programming skills (although he is quite good at "spit programming", a peculiar variant of "speed programming") than for his astonishing survival abilities:

Way to go, Serge!

That's it for your guided tour within the premises of TuxFamily. Sadly, since Serge's drool is drowning our last functioning keyboard, we are currently unable to publish the exact licenses of this article and its pictures until tomorrow.

Edit: it was of course our usual April Fools' prank; our main datacenter is in France, those famous actors do not work for TuxFamily at all and we do not send gangsters to break your wrists when your project gets refused (that does not constitute a reason not to read the FAQ before applying, though). On the other hand, who can prove we do not have a llama in the team?

Network outage

Publicado el Friday 17 February 2017, a 08:57 UTC

We are currently experiencing a network outage on all of our main services. We don't know what happened yet, we will keep you in touch.

Edit 2017-02-17 10:05 UTC: We are back!, it was due to fiber cut on two fibers which were supposed to be on two distinct paths but in the end obviously were not.

Edit 2017-02-17 22:55 UTC: And it's down again.

Edit 2017-02-18 03:12 UTC: Up!, it should be the last time, that was probably for the definitive fiber repair.

Systems upgrade

Publicado el Monday 24 October 2016, a 13:39 UTC

Due to CVE-2016-5195, we started rebooting all our hosts on a new kernel, we already silently updated all servers on which you are allowed to execute code a few days ago but it doesn't cause much disruption due to load balancing.

However, now it's time for all remaining hosts, storage servers, routers, … and that will be much more noticeable :-)

Edit: Done!, everything should be back, if this statement is wrong, please contact us ;)

VHFFS 4.6.0 Released

Publicado el Sunday 9 October 2016, a 16:24 UTC

VHFFS, the software which energizes TuxFamily, was released, featuring all changes required or just nice to have for Debian Jessie, a new TLS certificates support on top of the Let's Encrypt project allowing hosted websites to benefit from HTTPS.

Of course, as TuxFamily follows almost day-to-day the VHFFS master branch, we are already running it!

Upgrade to Debian Jessie planned

Publicado el Saturday 2 April 2016

Debian Wheezy security support is scheduled to end at the end of April, therefore we have to upgrade to Debian Jessie before this deadline. The good news is that it leaves you a few weeks to check that your installed webapps will continue to work after the upgrade.

Edit: Done!

Please welcome HTTPS

Publicado el Saturday 2 April 2016

Until recently, anything hosted by TuxFamily and reached over TLS (HTTPS, POPS, IMAPS, etc.) implied to accept a self-signed certificate.

Since the "Let's encrypt" initiative has become a reality, TuxFamily recently jumped on the bandwagon:

• *.tuxfamily.org web areas now benefit from a wildcard certificate (*.tuxfamily.org) kindly provided by GlobalSign.
• Most *.tuxfamily.org services also benefit from that wildcard certificate.
• Other TuxFamily-hosted web areas (e.g. vhffs.org or yabause.org) now benefit from a Let's Encrypt certificate.
• Due to technical limitations, *.*.tuxfamily.org web areas and domains remain plagued by a common name mismatch error; fortunately, those remain quite rare and should benefit from a Let's Encrypt certificate on the long run.

This setup should bring class-A HTTPS to your sites, and even A+ if you set up HSTS.

Since your web areas are now reachable by everybody over both HTTP and HTTPS, you are now free to adapt your sites accordingly; typical setups include (but are not restricted to):

• handling both protocols;
• enforcing only authenticated traffic to HTTPS;
• enforcing all traffic to HTTPS through redirections and/or HSTS implemented in .htaccess.

Please welcome IPv6

Publicado el Saturday 2 April 2016

All TuxFamily services are now reachable over IPv6, making them future-proof with regard to IPv4 address exhaustion.

Those of you managing their domains through DNS servers other than TuxFamily's may want to add some AAAA records pointing to 2a02:2178:1000:201::4 (IPv6 address for web.tuxfamily.net).