MoreRSS

site iconColin PercivalModify

Blog Dev Safe Canada
A Canadian computer scientist and computer security researcher. FreeBSD/EC2 maintainer, FreeBSD Release Engineering Lead, AWS Hero, and author of @Tarsnap .
RSS: https://www.daemonology.net/blog/index.rss
Please copy the RSS to your reader, or quickly subscribe to:

Inoreader Feedly Follow Feedbin Local Reader

Rss preview of Blog of Colin Percival

Patched FreeBSD AMIs

2026-01-21 02:30:00

I've been maintaining FreeBSD in the EC2 cloud since 2012, and from October 2013 onwards FreeBSD AMIs had code to automatically download and install security and critical errata updates when they first boot. Importantly, this took place before sshd started running, to ensure instances could be launched safely even if there were OpenSSH vulnerabilities in the release, and the system rebooted after installing updates to ensure that it would be running an updated kernel.

How to support FreeBSD on your cloud

2025-11-08 16:45:00

As most of my readers are aware, I ported FreeBSD to run on the Amazon EC2 cloud, and have been maintaining the platform ever since. Between this and my (far more recent) role as FreeBSD release engineering lead, I sometimes get a question from other cloud providers: "What's involved in supporting FreeBSD" — or sometimes, "How can we make FreeBSD on our cloud work as well as FreeBSD works on EC2?". This came up again while I was at the FreeBSD Vendor Summit in San Jose, and it occurred to me that it would be useful to write things down once — even if there's only a handful of clouds which aspire to compete with Amazon, it will save me time and allow me to give a more complete answer than if I'm trying to answer off the top of my head at a conference.

Thoughts on (Amazonian) Leadership

2025-09-01 08:30:00

Amazon's Leadership Principles are famous, not just within Amazon but also in the tech world at large. While they're frequently mocked — including by Amazonians — they're also generally sensible rules by which to run a company. I've been an Amazon customer for over 25 years and an AWS customer for almost 20 years, and also an AWS Hero for 6 years, and while I've never worked for Amazon I feel that I've seen behind the curtain enough to offer some commentary on a few of these principles.

  • Customer Obsession: Leaders start with the customer and work backwards. They work vigorously to earn and keep customer trust. Although leaders pay attention to competitors, they obsess over customers.
    Customer Obsession is great, but I often see Amazonians taking this too simplistically: "Start with the customer" doesn't have to mean "ask customers what they want and then give them faster horses". In the early days of AWS I saw a lot of what I call "cool engineering driven" products: When EC2 launched, it wasn't really clear what people would do with it, but it was very cool and it was clear that it could be a big deal in some form, sooner or later. Some time around 2012, the culture in AWS seemed to shift from "provide cool building blocks" to "build what customers are asking for" and in my view this was a step in the wrong direction (mind you, not nearly as much as the ca. 2020 shift to "build what analysts are asking for in quarterly earnings calls").

A year of funded FreeBSD

2025-06-07 03:30:00

I've been maintaining FreeBSD on the Amazon EC2 platform ever since I first got it booting in 2010, but in November 2023 I added to my responsibilities the role of FreeBSD release engineering lead — just in time to announce the availability of FreeBSD 14.0, although Glen Barber did all the release engineering work for that release. While I receive a small amount of funding from Antithesis and from my FreeBSD/EC2 Patreon, it rapidly became clear that my release engineering duties were competing with — in fact, out-competing — FreeBSD/EC2 for my available FreeBSD volunteer hours: In addition to my long list of "features to implement" stagnating, I had increasingly been saying "huh that's weird... oh well, no time to investigate that now". In short, by early 2024 I was becoming increasingly concerned that I was not in a position to be a good "owner" of the FreeBSD/EC2 platform.

Chunking attacks on Tarsnap (and others)

2025-03-22 03:00:00

Ten years ago I wrote that it would require someone smarter than me to extract information from the way that Tarsnap splits data into chunks. Well, I never claimed to be the smartest person in the world! Working with Boris Alexeev and Yan X Zhang, I've just uploaded a paper to the Cryptology ePrint Archive describing a chosen-plaintext attack which would allow someone with access to the Tarsnap server (aka me, Amazon, or the NSA) or potentially someone with sufficient ability to monitor network traffic (e.g. someone watching your wifi transmissions) to extract Tarsnap's chunking parameters. We also present both known and chosen plaintext attacks against BorgBackup, and known plaintext attacks against Restic.

And, of course, because Tarsnap is intended to be Online backups for the truly paranoid, I've released a new version of Tarsnap today (version 1.0.41) which contains mitigations for these attacks, bringing us back to "I can't see any computationally feasible attack"; but I'm also exploring possibilities for making the chunking provably secure.

My re:Invent asks

2024-12-04 10:30:00

As an AWS Hero I get free admission to the AWS re:Invent conference; while it's rare that I'm interested in many talks — in previous years I've attended "Advanced" talks which didn't say anything which wasn't already in the published documentation — I do find that it provides a very good opportunity to talk to Amazonians.

While I'm sure many of the things I ask for get filed under "Colin is weird", I know sometimes Amazon does pay attention — at least, once I find the right person to talk to. Since I have quite a list this year, and I know some Amazonians (and maybe even non-Amazonians) may be interested, I figured I might as well post them here.