guest - flak

Samsung 960 EVO

Thought I was happy with my gaming PC, but there was a Steam sale, and suddenly 256GB just doesn’t stretch as far as it used to. Even purchasing only a few games per year, at 20GB or so each, that’s not much. Looking for a bit of future longevity, decided to make the switch from SATA to NVMe. Best drive on the market is probably the Samsung 960 PRO. Saved some money by going with the EVO line, which might be the best value.

It’s an older motherboard, so I needed one of these gadgets to plug it in. Seems a bit silly to spend $20 for a bit of plastic and copper. No boot support, but that’s just fine. It’s only for storage.

It’s as fast as promised. For reference, the existing drive is a Samsung 840. Copying all the game data across, the destination drive was almost entirely idle. (For funsies, I made a second copy, both from and to the 960, and it screamed.)

Posted 2017-01-07 21:51:18 by tedu Updated: 2017-01-07 21:52:07
Tagged: computers gadget

python 3k17

New year, time for a new python, right? I’ve been sticking for python2 but two related events led me to try python3. The first was python3.6, which has a bunch of new features, notably finalized async support. No plans to actually use said support myself, but it seems like the kind of landmark feature that will convince other people to switch, so I figured I would hop on board. The second thing was python3.6 being available as an OpenBSD package. The scene was set for a day spent updating code. If you don’t use python, this will probably not be of much interest.

I don’t have that much python to begin with. A few utilities, somewhat larger than scripts, but much smaller than anything you’d call an application. The most important libraries I use are lxml, feedparser, and pygments. All are available in python3 flavors. So how much trouble can I have? Let’s start with the mechanical 2to3 conversion tool.

Continue reading python 3k17...

Posted 2017-01-05 17:30:40 by tedu Updated: 2017-01-05 17:30:40
Tagged: python

turn your network inside out with one pf.conf trick

I think this falls somewhere a little short of common knowledge, but obvious once you know it. It lets machines roam in and out of the network without too much config fiddling. Instead, we configure machines to always use “cloud” services but intercept the packets to provide local services.

Here’s the pf.conf rules I have on my router.

pass in on cnmac1 proto { udp , tcp } from any to any port domain rdr-to 10.10.10.10 port domain pass in on cnmac1 proto { udp , tcp } from any to any port ntp rdr-to 10.10.10.10 port ntp

This steals any DNS or NTP traffic bound for the internet and redirects it back to the local machine, servicing it locally.

Normally one gets a DNS server via DHCP, but I usually prefer to use 8.8.8.8. So I override that option in dhclient.conf. Works great outside the house. But when I’m home, then I really do want to use the local server because that’s the one that knows about other hostnames on the network. This lets me keep a hardcoded config on my laptop and fix it at the router.

Similarly with NTP, although the situation is a little different since we don’t usually get that from the DHCP server. Instead it’s configured once. I could use the ntp.org server pool, but it’s silly to have a half dozen machines each probing several upstream servers. For a while I used a config that pointed at the router directly, but then when I take a laptop on the road, it can’t sync time at all. Solution: point everything at time.google.com in ntpd.conf, and again have the router fix it up. (Bonus benefit: Windows and Apple machines will also now use the router’s time service with no config fiddling either.)

In short, permanently configure laptops for mobile use, and then configure the router to provide optimized services. This is typically easier than trying to configure the laptop to detect which network it’s using.

Posted 2017-01-04 09:16:52 by tedu Updated: 2017-01-04 09:16:52
Tagged: openbsd

openbsd changes of note 5

New year, old changes.

bluhm, mikeb, and mpi are continuing ongoing work to introduce the NET_LOCK. The plan is to replace splsoftnet() with an rwlock. However, unlike splsoftnet, rwlocks are not recursive, which requires some care in acquiring the lock once, only once, and in just the right spot. This is complicated by the fact that the network stack has many layers calling into each other. And in the case of NFS, even stranger dangers. In the mean time, some macros are used to allow switching between splsoftnet and rwlock until all the issues are solved.

kettenis is working to fix various warnings generated by the clang compiler. krw is also fixing a bunch of compiler warnings.

visa’s work on octeon now includes a MMC driver for the EdgeRouter Pro.

Continue reading openbsd changes of note 5...

Posted 2017-01-03 18:55:28 by tedu Updated: 2017-01-03 19:26:58
Tagged: openbsd

go garbage collector and liveness

Depending on language, compiler, and runtime, sometimes the garbage collector needs a few hints from the programmer. You know you’re done with an object, but to the GC, if a variable appears live, it can’t be collected. Sometimes the problem really is programmer error, as objects continue to collect in a container that’s never inspected. Other times the variable will be overwritten soon enough, but does it help to overwrite it sooner?

A trivial example.

Continue reading go garbage collector and liveness...

Posted 2017-01-02 15:18:31 by tedu Updated: 2017-01-02 21:14:07
Tagged: go programming

2016 computer review

Where are they now followup review for some computers, some from before 2016 even. Three sets of three computers.

I use three laptops, each weighing about three pounds, which makes them convenient to carry about. I’d been trying to keep the ThinkPad T430s active, but it’s now firmly retired.

ThinkPad X1 Carbon. Purchased January 2015. Two years later, love it as much as ever. I liked the T430s before it, but that was always a little too heavy to carry around. The X1 is an easy bag and go machine. Despite quite a few cycles, the battery is still about 96% as original, and generally lasts me longer than I need.

Zenbook UX305. Purchased October 2015. This is the portable Windows 10 machine. I don’t have much use for Windows, and so the Zenbook doesn’t see much use either, but it’s nice to have. It’s always a bit of a disappointment switching from the X1 to this machine, but it’s still a fine machine.

Continue reading 2016 computer review...

Posted 2016-12-30 17:03:05 by tedu Updated: 2016-12-30 17:03:35
Tagged: computers

exfiltration via receive timing

Another similar way to create a backchannel but without transmitting anything is to introduce delays in the receiver and measure throughput as observed by the sender. All we need is a protocol with transmission control. Hmmm.

Actually, it’s easier (and more reliable) to code this up using a plain pipe, but the same principle applies to networked transmissions.

First the reader code. We’ll assume an input string of decimal digits, 1-9.

Continue reading exfiltration via receive timing...

Posted 2016-12-22 15:20:19 by tedu Updated: 2016-12-22 15:20:39
Tagged: c network programming security

exfiltration via request timing

There are any number of ways to exfiltrate data via covert channels. For example, a popular technique is to make DNS lookups for a series of hostnames like “attack.example.com”, “atdawn.example.com”, etc. which will be passed through most firewalls. For a long time DNS requests weren’t monitored, but savvy network operators have grown wise. So if we wanted to beam some data off a device surreptitiously, what else can we do?

There are some even lower level techniques, like varying IP packet size or options, but this too may trigger alarms. Instead, let’s move up the stack and try to make our tunnel look as normal as possible. Consider the scenario where we’re Apple or Google and we want to extract Signal private keys off a device. It’s a small amount of data, and we already have an established channel: update checks. The trick is to piggyback our channel onto update requests. (This is not an entirely original idea, I just wanted to explore it.)

Continue reading exfiltration via request timing...

Posted 2016-12-19 17:30:45 by tedu Updated: 2016-12-19 17:30:45
Tagged: c network programming security

watt time is left

So Apple no longer knows how to make a battery meter. The good news is OpenBSD is still here for all your desktop needs. How does its battery meter work?

The simplest interface to get battery status info is to run apm. This gives us both percentage and an estimate of time remaining.

Continue reading watt time is left...

Posted 2016-12-16 13:49:18 by tedu Updated: 2016-12-16 13:49:18
Tagged: computers openbsd software