guest - flak

as always bundling fixes is bad

I generally like my iPhone. I think it’s fairly secure, and Apple seems pretty motivated to keep it that way (even if they don’t have the purest intentions, caring perhaps more about jailbreaking than my safety). But the way the way they go about releasing security fixes is terrible.

Highlighting two lines from a preview of iOS 8.3. First:

“As always, it’s a good idea to wait a few days to see if the update causes any problems.”

Sound advice. My phone is pretty important. I don’t like when it doesn’t work.

“As always, the iOS update includes a slew of security fixes.”

Cupertino, we have a problem.

I figure 24 hours is about the amount of time it takes from a security patch to be released until weaponized exploits show up. After that, if you’re not patched, you’re living dangerously, depending on the nature of the bug. Bundling new features with a high risk of regression with security fixes means users wait to upgrade.

The iOS 8.3 update is 280MB. It can’t even be downloaded over the air, only via wifi. Security patches are important enough that they should always be made available separately. Then I could download them, even OTA, without fear of regression.

What aggravates me most is that this is business as usual. As always. We’re training people not to patch. Users should be embarrassed to admit they’re running unpatched software; instead it’s regarded as the prudent choice.

Posted 2015-04-09 16:02:55 by tedu Updated: 2015-04-09 16:02:55
Tagged: gadget security

why did my fans come on?

Browsing the web for a bit, noticed the laptop fan come on. This is quite unusual on my new X1 Carbon, but maybe there’s some eyeball counting javascript gone wild? Close the tab, fans stay on. More unusual.

Run top. Mysteriously, the system is busy but all the processes seem idle. Watch it a bit more, pound the spacebar, and finally notice the occasional login_passwd flickering among the top processes. There’s probably a more scientific means to discover what’s up, but this worked well enough. I’m not logging in, so who is? Check /var/log/authlog.

Apr 5 08:08:10 carbolite sshd[15309]: Failed password for root from 43.255.190.148 port 50211 ssh2 Apr 5 08:08:10 carbolite sshd[15309]: Failed password for root from 43.255.190.148 port 50211 ssh2 Apr 5 08:08:10 carbolite sshd[30446]: Failed password for root from 43.255.190.154 port 49092 ssh2 Apr 5 08:08:11 carbolite sshd[15309]: Failed password for root from 43.255.190.148 port 50211 ssh2 Apr 5 08:08:11 carbolite sshd[30446]: Failed password for root from 43.255.190.154 port 49092 ssh2 Apr 5 08:08:11 carbolite sshd[30446]: Failed password for root from 43.255.190.154 port 49092 ssh2

Ah, yes, of course. That would make the fans go.

root:$2b$12$criWVll1Nov9AXQpDU2GyO/tczU87cNGYcWpcUyQx/zimHWA7HgjC:0:0:daemon:0:0:Charlie &:/root:/bin/ksh

At close to half a second per guess, 3 guesses per second will keep things busy.

carbolite:/var/log> grep "root from 43.255" authlog | wc 2056 28784 205001

And that will keep things warm.

Usually my laptop is safe and sound inside my network and not prone to remote thermal control, but it happened to be connected to a public net today. How else would anyone hunt for root’s Easter Eggs?

Posted 2015-04-05 16:01:06 by tedu Updated: 2015-04-05 19:55:59
Tagged: openbsd rants security

OpenBSD 5.7 highlights

The OpenBSD 5.7 release is still a month away, but the changes have been done for some time. The release page lists lots of changes, though certainly not all, and sometimes it’s hard to tell the big changes from the small changes. Annoying perhaps, but rewarding to someone who reads through the entire list looking for hidden gems. A few notes about changes I found personally interesting.

USB 3.0 may qualify as the headline hardware feature. The blue ports work at last, even though they aren’t even blue anymore. Owners of newer laptops are likely happy to see the iwm driver for the latest generation of Intel wireless chips.

Lots of hash function related changes. MD5 in many contexts has been replaced by SHA512. For the most part, MD5 was harmless, but now it even looks harmless at first inspection. SipHash was introduced and replaces the hash function for many hash table lookups. In some cases, the previous function was XOR, so this is a pretty substantial improvement. DES crypt moved ever closer to the attic. Most userland programs will no longer operate on traditional password hashes.

Continue reading OpenBSD 5.7 highlights...

Posted 2015-04-01 02:47:00 by tedu Updated: 2015-04-09 18:36:48
Tagged: openbsd review software

making security sausage

Security may be a process, not a product, but security patches are definitely a product. Some reflections on a few recent experiences making security sausage, er, patches.

I appear to have found myself in the position of OpenBSD sausage grinder even though it’s not a great fit. It’s not in my temperament to care about yesterday’s problems after they’re fixed, nor am I enthusiastic about long term support. I mostly run current, so I don’t have much personal interest in fixing stable. Unfortunately, I wrote the tool used for signing patches which somehow turned into a responsibility for also creating the inputs to be signed. That was not the plan!

Continue reading making security sausage...

Posted 2015-03-20 05:00:03 by tedu Updated: 2015-03-20 05:00:03
Tagged: openbsd security software thoughts

invented by openbsd

The primary product of the OpenBSD project is the OpenBSD operating system, but sometimes other artifacts are produced as byproducts. Avant-garde web site design, funny email threads. Also, reusable code that can be beneficial to other developers, outside the strict confines of OpenBSD.

Unfortunately, sometimes this code doesn’t see the widest distribution. Often this can be the result of Not Invented Here syndrome, though other times it takes the appearance of a more pernicious problem. Invented by OpenBSD.

It was brought to my attention that NetBSD recently imported two OpenBSD functions, but reimplemented them in such a way as to be dangerously incompatible.

reallocarray

Continue reading invented by openbsd...

Posted 2015-03-10 07:03:09 by tedu Updated: 2015-03-17 02:43:31
Tagged: openbsd rants software

now or never exec

Some early followup from efforts to improve browser security with more details about possible refinements to W^X.

W^X

The first obvious improvement would be to simply enforce W^X in the kernel. Userland isn’t ready, not nearly ready, for this change, though of course making such a change would go a long way towards assessing success. How do we know we’re done until we know there cannot be any W|X mappings? (Referring here to ports and the extended userland. OpenBSD userland is ready.)

By itself, this is a trivial two line change to mmap.

Continue reading now or never exec...

Posted 2015-03-10 04:07:37 by tedu Updated: 2015-03-10 04:07:37
Tagged: openbsd security

the wiki box is out of control

I’m guessing only a few wikipedia editors view articles about smartphones using a smartphone.

At least now I know the iPhone 6 has a slate form factor.

Posted 2015-02-15 10:25:36 by tedu Updated: 2015-02-15 10:25:36
Tagged: rants

another subtle string function

Recently was reminded of an old string handling function I used for programming interviews.

My original programming interview question started with a short C function that did something a little unusual to a string. When asked to describe its behavior, many candidates initially see the general outline of the function and then have difficulty seeing what the real code does when it differs from their expectations.

Reactions from candidates varied, although were usually pretty muted, given they wanted the job and weren’t likely to complain too loudly. Other interviewers, however, usually provided feedback between “That’s mean.” and “What? Why?”. The why is answered in the previous post, although opinions varied as to how likely one was to encounter such code in the wild. In refactoring some code, I ran into something fairly similar, and then had the exact issue I was testing for, only seeing what I was hoping to see.

Continue reading another subtle string function...

Posted 2015-02-10 23:31:09 by tedu Updated: 2015-02-10 23:40:05
Tagged: c programming