guest - flak

when i wore a younger fool's cap

A few grumpy remarks about the amazing tale of Slack bot tokens on GitHub. Auth tokens used for business accounts get committed into Jurassic Park quote bots saved on GitHub, allowing random passersby to eavesdrop on your paradigm shifting startup’s latest pivot? That didn’t happen back in my day! Of course, since then multiple changes have combined to change the world. A perfect storm of convergence and disruption.

First off, let’s start with the centralized Slack service. Even if somebody stole your chat server credentials, they wouldn’t be of much use if your chat server wasn’t in the cloud. We used to run an IRC server with no credentials at all because it was only on the internal network. Not terribly secure, but we got by. If I built an IRC bot one weekend, it wouldn’t come with credentials for a critical service because it wasn’t developed with credentials for a critical service.

Continue reading when i wore a younger fool’s cap...

Posted 2016-04-29 02:13:23 by tedu Updated: 2016-04-29 02:13:23
Tagged: rants software thoughts

a prog by any other name

What is a name, really?

Sometimes two similar programs are really the same program with two names. For example, grep and egrep are two commands that perform very similar functions and are therefore implemented as a single program. Running ls -i and observing the inode number of each file will reveal that there is only one file. Calling the program egrep is a shorthand for -E and does the same thing.

names

In fact, every program has three names: its name in the filesystem, the name it has been invoked with, and whatever it believes its own name to be. Under normal circumstances the first two will be the same, but it is possible to call execve with a path and argv[0] not in alignment. Sometimes by accident, as in mv.

Continue reading a prog by any other name...

Posted 2016-04-28 12:26:04 by tedu Updated: 2016-04-29 02:22:50
Tagged: c openbsd programming

master lock speed dial

In addition to earbuds, I have a tendency to lose padlocks. As a result, I tend to go through more of them than I should. Note to locker designers: place the loop on the inside frame instead of on the outside of the door so that after I open the door, I have somewhere to hang the lock where I won’t forget it.

Cheap combo locks have never been that secure, but since things have gone from bad to worse, I figured I’d try a new lock. Enter the Master Lock Speed Dial.

Instead of numbers, the combination is a sequence of cardinal directions. The packaging promises I can pick any combination of any length, though I doubt they have really invented an infinite data storage device. The default sequence length is only four inputs, which is far too short for my comfort and they should recommend at least eight. 4^8 combinations just tops the 40^3 of a very precisely machined 40 digit combo lock (to say nothing of less precise models). Despite the length, with very little practice it’s easy to enter the combo quickly and accurately. Trying to spin a dial too fast I would frequently over rotate and have to start again. The speed dial can be consistently unlocked one handed in about five seconds.

Programming the lock is a little weird and error prone. The sequence of unlocking, resetting, and locking must be performed in exactly the correct order or you get a lock with the wrong combo. Or no combo! Fortunately, this video explains two common mistakes, which I definitely experienced first hand.

For a look at the insides of the lock, this video reveals a little more about how it works.

Initially, the lock was very stiff to open. I couldn’t tell if I’d done the combination right or not (pretty important right after purchasing), but after some use it pulls open much more readily. On the downside, the casing is rather large and won’t fit everywhere that a smaller lock is expected to.

Posted 2016-04-27 18:41:45 by tedu Updated: 2016-04-27 18:41:45
Tagged: gadget

more input validation unnecessary

There’s a widespread belief that validating user input prevents security vulnerabilities. This is true as far as it goes, but doesn’t tell the whole story. Consider the following example, distilled from any number of real world examples.

if (!valid_input(buffer)) { free(buffer); error = BADSTUFF; goto ungood; } error = process_input(buffer); ungood: free(buffer); return error;

A not uncommon mistake. A vulnerability report may, quite accurately, say something like “Invalid inputs may result in remote code execution.” However, further input validation won’t fix this bug, nor will tweeting “This is why you always validate your inputs!” prevent future occurrences.

Lots of problems may share similar or even identical descriptions without sharing fixes. It’s a small point, really, but no less important. And of course, hardly limited to the field of security.

Posted 2016-04-25 18:14:33 by tedu Updated: 2016-04-25 18:14:33
Tagged: c programming security

libressl - more vague promises

There hasn’t been a lot of noise coming out of the LibreSSL camp recently. Mostly there’s not much to report, so any talks or presentations will recover a lot of the same material. But it’s an election year, and in that spirit, we can look back at some promises previously made and hopefully make a few new ones.

scorecard

First part of any campaign is to tout one’s record. And shift blame for any missteps.

Starting from the beginning is LibreSSL - The First 30 Days. On the positive side, most of the cleanup has been a success. We promised to delete support for obsolete systems and we did. We promised to delete obscure compat layers and build on posix and we did. We promised not to appease FIPS and we didn’t. We promised “If your Operating System can not provide you with a good source of entropy, it will NOT be LibreSSL’s job to fake it. Fix your Operating System. Not the SSL library.” and we... oh, hm. Time to call in the equivocator.

Continue reading libressl - more vague promises...

Posted 2016-04-19 17:28:00 by tedu Updated: 2016-04-20 16:52:02
Tagged: openbsd software

not smart is not stupid

There’s already a few other posts about the perils of complex software. Features are faults is one. The more we ask a program (or any system) to do, the more likely something will go wrong. This post is about various time saving features that backfire, when some feature promises to save me time but ends up costing more. Or in short, when the smart feature is really stupid.

Some time ago, I needed to install Ubuntu to for competitive research. Download the ISO, start VMWare, and voila, the install wizard takes it away. Instead of making me drive through the Ubuntu installer, the VMWare smart install offered to do all those mundane tasks for me. But something bad happened and what I was left with was an Ubuntu system that allowed me to login at a graphical prompt, but then left me staring at an empty desktop with no means of interaction. Not even so much as an xterm. Logging in on a virtual console helpfully informed me that installation was in progress, but after leaving the system in this state for some time, no progress was observed. I had a very pretty but otherwise useless husk of an Ubuntu system. This may have been a recoverable error, but I wasn’t sufficiently motivated to find out.

Continue reading not smart is not stupid...

Posted 2016-04-15 03:28:33 by tedu Updated: 2016-04-15 03:28:33
Tagged: software thoughts

the nether

In the future, the Internet becomes The Nether, a fully immersive virtual reality and the setting for a play by Jennifer Haley. The play alternates scenes between a real space interrogation room and flashbacks to events in the nether. A detective demands that the proprietor of a particular realm, one that specializes in adult-child relationships, reveal the location of the hosting server.

Most of the play explores the line between reality and perception. What difference is there between feeling something and doing it? Or as one character put it, the nether is the contextual framework for our existence. This is a question with at least twenty years of fiction, but I liked the approach taken here. Despite the pervy setting, it’s a very human story.

Continue reading the nether...

Posted 2016-04-13 01:58:41 by tedu Updated: 2016-04-13 01:58:41
Tagged: event moviereview philly

firefox vs rthreads

Mistakes were made, but not by me.

Firefox is too slow. OpenBSD is too slow. The combination is too too slow. This situation was known for some time, but resolution was also slow for quite some reasons.

Many Firefox on OpenBSD users, particularly developers, only use OpenBSD so the extent of the performance gap between platforms went unnoticed. Web browsing would grow ever slower, but the only page that matters would continue to load as quickly as ever, once the slumbering lizard had awoken. Clearly the reason it takes me thirty seconds to view a single tweet was idiot kids and their infernal javascript frameworks.

A few changes were made which improved some of the worst cases, but made much less of an overall impact. A tweak to realloc to avoid a peculiar case in the X server where it would repeatedly resize a buffer. A tweak to malloc to reduce contention on the lock while one thread was making a system call. Another tweak to X’s socket buffers to reduce the number of system calls required to move images back and forth.

Continue reading firefox vs rthreads...

Posted 2016-04-11 04:39:10 by tedu Updated: 2016-04-11 20:03:00
Tagged: openbsd

the future is arriving too fast

Because I am old, sometimes instead of watching new original content, I want to watch old preexisting content which is not available on Netflix or any other streaming service. Fortunately, there is a solution. Netflix also has a service which will mail me plastic circles that I can watch by putting them in my plastic circle player. I can manage the queue of such circles by using my browser. Ah, the wonders of technology.

Also because I am old, sometimes I go talk with other old people, in person, at bars and such. Mostly we reminisce about the old days, when we had to seduce people with words instead of pictures of our junk. But sometimes the conversation turns to entertainment, such as movies. Somebody might claim that Jupiter Ascending by the Wachowskis is the spiritual successor to The Matrix. This is obviously a claim that needs to be seen to be believed. (Though I recommend neither seeing nor believing.)

Continue reading the future is arriving too fast...

Posted 2016-04-06 18:35:40 by tedu Updated: 2016-04-06 18:35:40
Tagged: business rants web