It’s been a week and change since the first LibreSSL portable release was announced to much sturm und drang. I’m not directly involved, but a few thoughts and reflections on the release and its reception. (Deliberately missing some links; do your own digging if you care.)
Most people seemed pretty happy with the release. That was good. There were a few portability wrinkles. They got fixed. That was good.
Then there were the LibreSSL is an unsafe catastrophe fun times. My earlier thoughts.
Now what was missing was any mention of prior art. Like CVE-2013-1900. Is PostgreSQL unsafe? Or CVE-2014-0017. Is stunnel unsafe? These are real programs, presumably trying to be secure, with real exploits. Not carefully crafted samples that aided in their own exploitation. Perhaps it’s OpenSSL that’s unsafe? It’s not like OpenSSL hasn’t had its own fixes for trouble with pid reuse.
Continue reading this is why software sucks...
Posted 2014-07-22 18:03:38 by tedu Updated: 2014-07-22 18:03:38
Tagged: rants software
(An old thought, but hey, responsible disclosure is in the news. Again.)
The phrase responsible disclosure doesn’t have a precise definition. Instead, it can only be understood in terms of its opposite, irresponsible disclosure, which is defined as “any disclosure I don’t like”.
Instead of using a phrase that encodes a value judgment in place of a description, let’s pick a technical term that describes what’s happening: selective disclosure. This phrase is then neatly contrasted with its opposite, full disclosure.
Posted 2014-07-22 16:59:53 by tedu Updated: 2014-07-22 16:59:53
Tagged: software thoughts
One of the great things about the animated GIF format, despite its many other deficiencies, is that it works everywhere. Even stodgy old browsers can display it. Naturally, this fact means that whenever an animated GIF is uploaded to twitter, they convert it to a format that fewer browsers can display.
The “Download File” text floating towards the bottom left links to an MP4 file of what was once the GIF. Just one more way developers are working to make the web a better place. Thanks guys!
Posted 2014-07-17 00:32:29 by tedu Updated: 2014-07-17 00:32:29
Tagged: bugs rants web
After the recent OpenBSD hackathon, I took a day off to chill out in Trieste before flying home. In the mean time, a blog post regarding the perils of getpid wrapping appeared. Unfortunately, by the time I made it home and reconnected to the tubes, kettenis and bcook had already fixed the bug, before I even had a chance to shit my pants. The gall of some people.
The posted example code is somewhat (portable) LibreSSL specific, even though the real bug exists in the arc4random function, so as a programming exercise I thought I’d make another simpler example. There are a few critical preconditions in order to demonstrate the bug. First, the grandparent must fork a child, and that middle child must fork the grandchild after the grandparent exits (or else it can’t possibly match the pid). Second, the grandparent must generate random numbers before forking (to initialize the saved pid) and after forking (to continue down the track with the same state), and the middle child must not call arc4random (or it will reinitialize the pid). And, of course, the pid has to be recycled, which will never actually happen if the grandparent was the process group leader because the pid will remain in use to identify the group.
Continue reading wrapping pids for fun and profit...
Basically: the network is insecure; the bad guys can steal your Facebook login; check that you are using HTTPS. I’ve never seen a wifi warning this clear and direct before. Bonus points for mentioning that smartphone apps are a particular weakness.
Posted 2014-07-08 18:22:13 by tedu Updated: 2014-07-08 18:22:13
Tagged: quote security web
A special Fourth of July post. If you love America, you’ll love the Welcome to Night Vale podcast. It does a great job walking the line between mocking the nutjobs who believe in world government black helicopters and the sheeple who don’t. A little something for everyone to hate.
The whole show, every episode, plays with credulity, but one segment from episode 14, “The Man in the Tan Jacket”, was in a category of its own. It’s not the most absurdly comical segment, but a striking reminder of the typical internet discussion regarding the relative probability of just about anything.
Early Saturday morning, Fun Complex cameras picked up blurry motion near the soda machine. The footage is quite fuzzy and difficult to discern. Perhaps it is merely rats or racoons digging through an uncovered supply of junk food. But it is, of course, much more likely that a lost nation of people, living in the bowels of a small town blowing alley, are finally revealing themselves. Taking our food supplies and preparing for war. ... It takes very little extrapolation to believe that they worship a god named Huntocar, who demands sacrifice to keep their underground city thriving in the absence of nourishing sunlight. And a fair assumption is that they are ruled by a child king, recently coronated, who is too weak to reign back the generals intent on marching upon us in war.
From time to time, somebody posts an unsourced account of that time the Secret Service tasered their cat because they googled for “how to make money”. As it makes the rounds of all the user news sites, somebody will inevitably post a comment pointing out some logical inconsistencies in the original and asking how the more fanciful events may have transpired. Someone will then reply, explaining everything with no facts and fewer sources. And finally comes the third comment, my favorite. “I’m pretty sure that’s what happened.”
Posted 2014-07-04 00:23:13 by tedu Updated: 2014-07-04 00:25:06
Tagged: quote review
A few notes regarding agl’s post on encrypting streams and tools I’ve worked on.
signify will only verify a message if it is entirely correct. The OpenBSD installer doesn’t stream install files through tar anymore. This was something we needed to change precisely because of the situation Adam warns about. Instead the full tar file is downloaded, verified, and then extracted. Tainted data never hits the real file system.
pkg_add combined with signify works a little differently, instead checking the checksum of each file, but the tainted data is first saved to temporary files before being renamed. I’m less familiar with the exact details, but a quick chat with espie said it should be safe.
reop, which is a true encryption at rest tool, does in one sense repeat the mistakes of 20 years ago. Each message is encrypted as a single large “packet”. However, the entire message must decrypt and authenticate successfully before any output is produced, so it’s actually safer than a small packet streaming program which may produce partial output. (reop cheats a bit by imposing a message size limit; it simply can’t encrypt large files, for large values of large.)
Posted 2014-06-30 17:09:00 by tedu Updated: 2014-07-10 18:56:09
Tagged: security software
Just watched the season 3 episode of The Good Wife, “Bitcoin for Dummies”. For an episode that aired more than two years ago, that’s pretty edgy, especially considering what I assume to be the show’s target audience. It’s fictionalized, but it does a pretty good job of depicting Bitcoin accurately. Unlike another show that simply namedropped Bitcoin to prove it was the future, the episode actually spent considerable time explaining and incorporating Bitcoin into the plot. There’s talk of the exchange rate, the crash, mining, hoarding, etc. All the more remarkable for airing in January 2012.
The plot revolves around the government’s pursuit of “Mr. Bitcoin”, played by guest star Jason Biggs, for creating an illegal currency. Naturally, this brings up the question of whether Bitcoin counts as a currency or a commodity for bartering. Linguistic analysis is used to unmask Mr. Bitcoin based on his manifesto. A hidden message is found in the blockchain. There’s also some of the usual TV IP tracking hijinks, of course, but otherwise it’s well done.
This is the only legal drama I’ve ever seen that included the phrase “preimage resistance”. Also, funny line: “Cryptographer jealousy. The ugliest kind.”
I’m pretty impressed with The Good Wife. The writers are obviously working in (then) current trends, but I think it’s fair to say they’re using them as inspiration, and not just chasing ratings with buzzwords. The portrayals seem pretty accurate and not unusually contrived. Another episode deals with a judge accepting a juror’s friend request. Real life relation. The episode where they extract information (metadata, anyone?) from redacted government files was also a winner.
The WSJ has a longer recap if you’re more interested in what Alicia and Diane were wearing than Bitcoin.
Posted 2014-06-27 23:49:28 by tedu Updated: 2014-06-27 23:49:28
Some thoughts on The Disruption Machine. I only just read it, but apparently I’m late to the party. I can’t help but think it’s funny that writing up a review of an article three days before it’s publication counts as too late. (I think it arrived on Wednesday, I read it yesterday at lunch, and today I’m writing. I apologize for my tardiness.)
The article is apparently a rebuttal to The Innovator’s Dilemma, but I think it’s more a counterpoint to the current cult of disruption. Or as the subtitle puts it, “What the gospel of innovation gets wrong.” I think the point is not to prove Christensen wrong, but to demonstrate that the cult of disruption’s holy text is infallible. I myself haven’t read the book, just forum comments telling me what it’s about. Whether those commenters read the book or merely parrot the comments of others, I don’t know, but The Disruption Machine does appear to accurately capture the popular perception of disruption theory.
Continue reading disrupting innovation theory...
Because it’s summer and therefore nice and warm (or terribly, impossibly warm) out, I go outside and walk around the city. Because it’s a city, that means people ask me for money. Sometimes it’s grizzled old men sitting on a stoop. Sometimes it’s chipper young people who jump in front of me. Guess which group this post is about.
It’s one thing (an annoying thing, but borderline acceptable) to stand in the middle of the sidewalk so that I have to go around instead of walking in a straight line. Watching me course correct, then side stepping to block my path and accost me is never acceptable. I deal with this by making a mental note of the responsible organization and then blacklisting them for one month. Penalties accrue. This summer’s front runner appears to be Planned Parenthood, though it will be some time before they overtake the all time record holder. Two summers ago the ACLU accosted me more than once per day on average, earning them an effective lifetime ban.
The stupid part is I’m generally in agreement with these organizations, disagreeing more in degree than kind. The problem seems to be that unlike the local neighborhood homeless beggars, the political beggars are shipped in from elsewhere. I imagine the college job fair pitch goes something like “travel the country and harass strangers with like minded hotties”. The result is that it’s a new beggar every day with no recollection of the previous dozen encounters. Even the duck tour people learn to recognize me as a resident and leave me alone. (Presumably the political beggars set up shop all summer long to get in on the tourist trade, but since the duck tour peddlers have claimed all the good corners, they get pushed out to areas that are in fact mostly locals.)