guest - flak

out with the old, in with the less

Notes and thoughts on various OpenBSD replacements and reductions. Existing functionality and programs are frequently rewritten and replaced for the sake of simplicity or security or whatever it is that OpenBSD is all about. This process has been going on for some time, of course, but some recent activity is worth highlighting.

It’s probably worth preemptively citing jwz’s “Cascade of Attention-Deficit Teenagers” model. It certainly is appealing to throw everything away as a bug disposal mechanism. As noted, this rarely has the intended effect and just replaces one set of bugs with another set. The rewrites mentioned here have a slightly different motivation. Instead of trying to fix known bugs, we’re trying to fix unknown bugs. It’s not based on the current buggy state of the code, but the anticipated future buggy state of the code. Past bugs are a bigger factor than current bugs.

Continue reading out with the old, in with the less...

Posted 2015-06-25 12:52:35 by tedu Updated: 2015-06-26 17:54:28
Tagged: openbsd programming software thoughts

hot girls wanted

The Netflix blurb for Hot Girls Wanted promised to spotlight the amateur porn industry and the women it exploits. I was expecting something along the lines of a traditional documentary; lots of interviews, investigative reporting, some slide shows. Instead, it’s more Real World style, with a camera crew following a group of women around and observing their lives. There are some fact slides presented during scene transitions, but for the most part very little of what happens is deliberately directed at the viewer.

The film centers around Riley’s house and the girls who live there. Riley is an agent, posting the titular ads on Craigslist sites across the world. “Who doesn’t want a free flight to Miami?” With him live five girls who have come to Miami to start their amateur porn careers. They all pay rent. He also mentions that he is sometimes talent, though we don’t see him in this role.

Continue reading hot girls wanted...

Posted 2015-06-24 14:22:02 by tedu Updated: 2015-06-24 14:22:02
Tagged: moviereview

natural grass preservatives

From Time’s surprisingly healthy snack foods list.

Is the implication that corn fed beef jerky requires artifical preservatives? What makes grass beef so naturally resistant to spoiling?

Posted 2015-06-22 19:07:07 by tedu Updated: 2015-06-22 19:07:07
Tagged: food magreview quote

signify shortcomings

I presented a talk about signify at BSDCan on Friday. It went really well; during and after the talk many people told me I was wrong.

Here’s a list of things that are less than perfect, either with the signify tool or with its usage.

tool

Some issues affect the signify tool itself. I’m happy that so far they’re quite minor.

Secret key files contain a 64-bit hash (truncated SHA512) of the secret key data which is used to verify the user’s password. You wouldn’t want to enter the wrong password and accidentally sign something with a bogus key. Unfortunately, this creates something of an oracle. If you steal somebody’s secret key, instead of guessing passwords which will be terribly slow because of the KDF, you can just guess keys and compute hashes until you get a match. The good news is that the key space is fairly large; you won’t have much luck guessing one. Harmless as this may be, it’s bothered me quite a bit because it’s plainly wrong. (The rationale for this decision was that encrypting the hash as well would require another iteration of the KDF.)

Continue reading signify shortcomings...

Posted 2015-06-15 12:54:10 by tedu Updated: 2015-06-15 12:54:10
Tagged: openbsd security software

BSDCan 2015

This weekend BSDCan 2015 was held at the University of Ottawa. I was told it was the biggest, bestest BSDCan ever. Certainly, there were a lot of talks, giving rise to a four track split. Personally, I think that may be too many. Some of the best conferences I’ve attended have been two or even one track. To the credit of the organizers though, they did a great job of splitting up talks such that I was rarely in the position of having to choose between two talks I really wanted to attend. Some talks were about new developments, which I’m interested in, some talks were about system administration issues I’d really rather not know anything about. One of the consequences of multi-tracking though is that the OpenBSD people go to the OpenBSD talks and the FreeBSD people go to the FreeBSD talks, etc., making it less of a BSD conference and more like an OpenBSD conference and a FreeBSD conference running side by side. Fewer tracks would mean more forcible cross attendance. But it’s a minor quibble. BSDCan has become a victim of its own success.

Continue reading BSDCan 2015...

Posted 2015-06-14 18:52:45 by tedu Updated: 2015-06-15 12:55:29
Tagged: event software

as always bundling fixes is bad

I generally like my iPhone. I think it’s fairly secure, and Apple seems pretty motivated to keep it that way (even if they don’t have the purest intentions, caring perhaps more about jailbreaking than my safety). But the way the way they go about releasing security fixes is terrible.

Highlighting two lines from a preview of iOS 8.3. First:

“As always, it’s a good idea to wait a few days to see if the update causes any problems.”

Sound advice. My phone is pretty important. I don’t like when it doesn’t work.

“As always, the iOS update includes a slew of security fixes.”

Cupertino, we have a problem.

I figure 24 hours is about the amount of time it takes from a security patch to be released until weaponized exploits show up. After that, if you’re not patched, you’re living dangerously, depending on the nature of the bug. Bundling new features with a high risk of regression with security fixes means users wait to upgrade.

The iOS 8.3 update is 280MB. It can’t even be downloaded over the air, only via wifi. Security patches are important enough that they should always be made available separately. Then I could download them, even OTA, without fear of regression.

What aggravates me most is that this is business as usual. As always. We’re training people not to patch. Users should be embarrassed to admit they’re running unpatched software; instead it’s regarded as the prudent choice.

Posted 2015-04-09 16:02:55 by tedu Updated: 2015-04-09 16:02:55
Tagged: gadget security

why did my fans come on?

Browsing the web for a bit, noticed the laptop fan come on. This is quite unusual on my new X1 Carbon, but maybe there’s some eyeball counting javascript gone wild? Close the tab, fans stay on. More unusual.

Run top. Mysteriously, the system is busy but all the processes seem idle. Watch it a bit more, pound the spacebar, and finally notice the occasional login_passwd flickering among the top processes. There’s probably a more scientific means to discover what’s up, but this worked well enough. I’m not logging in, so who is? Check /var/log/authlog.

Apr 5 08:08:10 carbolite sshd[15309]: Failed password for root from 43.255.190.148 port 50211 ssh2 Apr 5 08:08:10 carbolite sshd[15309]: Failed password for root from 43.255.190.148 port 50211 ssh2 Apr 5 08:08:10 carbolite sshd[30446]: Failed password for root from 43.255.190.154 port 49092 ssh2 Apr 5 08:08:11 carbolite sshd[15309]: Failed password for root from 43.255.190.148 port 50211 ssh2 Apr 5 08:08:11 carbolite sshd[30446]: Failed password for root from 43.255.190.154 port 49092 ssh2 Apr 5 08:08:11 carbolite sshd[30446]: Failed password for root from 43.255.190.154 port 49092 ssh2

Ah, yes, of course. That would make the fans go.

root:$2b$12$criWVll1Nov9AXQpDU2GyO/tczU87cNGYcWpcUyQx/zimHWA7HgjC:0:0:daemon:0:0:Charlie &:/root:/bin/ksh

At close to half a second per guess, 3 guesses per second will keep things busy.

carbolite:/var/log> grep "root from 43.255" authlog | wc 2056 28784 205001

And that will keep things warm.

Usually my laptop is safe and sound inside my network and not prone to remote thermal control, but it happened to be connected to a public net today. How else would anyone hunt for root’s Easter Eggs?

Posted 2015-04-05 16:01:06 by tedu Updated: 2015-04-05 19:55:59
Tagged: openbsd rants security

OpenBSD 5.7 highlights

The OpenBSD 5.7 release is still a month away, but the changes have been done for some time. The release page lists lots of changes, though certainly not all, and sometimes it’s hard to tell the big changes from the small changes. Annoying perhaps, but rewarding to someone who reads through the entire list looking for hidden gems. A few notes about changes I found personally interesting.

USB 3.0 may qualify as the headline hardware feature. The blue ports work at last, even though they aren’t even blue anymore. Owners of newer laptops are likely happy to see the iwm driver for the latest generation of Intel wireless chips.

Lots of hash function related changes. MD5 in many contexts has been replaced by SHA512. For the most part, MD5 was harmless, but now it even looks harmless at first inspection. SipHash was introduced and replaces the hash function for many hash table lookups. In some cases, the previous function was XOR, so this is a pretty substantial improvement. DES crypt moved ever closer to the attic. Most userland programs will no longer operate on traditional password hashes.

Continue reading OpenBSD 5.7 highlights...

Posted 2015-04-01 02:47:00 by tedu Updated: 2015-04-09 18:36:48
Tagged: openbsd review software

making security sausage

Security may be a process, not a product, but security patches are definitely a product. Some reflections on a few recent experiences making security sausage, er, patches.

I appear to have found myself in the position of OpenBSD sausage grinder even though it’s not a great fit. It’s not in my temperament to care about yesterday’s problems after they’re fixed, nor am I enthusiastic about long term support. I mostly run current, so I don’t have much personal interest in fixing stable. Unfortunately, I wrote the tool used for signing patches which somehow turned into a responsibility for also creating the inputs to be signed. That was not the plan!

Continue reading making security sausage...

Posted 2015-03-20 05:00:03 by tedu Updated: 2015-03-20 05:00:03
Tagged: openbsd security software thoughts

invented by openbsd

The primary product of the OpenBSD project is the OpenBSD operating system, but sometimes other artifacts are produced as byproducts. Avant-garde web site design, funny email threads. Also, reusable code that can be beneficial to other developers, outside the strict confines of OpenBSD.

Unfortunately, sometimes this code doesn’t see the widest distribution. Often this can be the result of Not Invented Here syndrome, though other times it takes the appearance of a more pernicious problem. Invented by OpenBSD.

It was brought to my attention that NetBSD recently imported two OpenBSD functions, but reimplemented them in such a way as to be dangerously incompatible.

reallocarray

Continue reading invented by openbsd...

Posted 2015-03-10 07:03:09 by tedu Updated: 2015-03-17 02:43:31
Tagged: openbsd rants software