guest - flak

humans

An amazing show. Sat down to watch one episode of Humans and watched the entire season in one six hour sitting.

The premise is a world much like our own, but with mostly perfected android technology. The synths appear human and have a sufficiently advanced AI to interact with humans. They are not, however, self aware. Except for a select few, which have been captured, wiped, and returned to service. Now they need to find each other while hiding their true identities, especially from the secret synth police chasing them. Apart from some of the worst examples of technobabble posing as computer jargon, the show works and is very well made. I’ll just assume that robotic AI is very complex, and they borrowed jargon from simpler fields.

Continue reading humans...

Posted 2016-05-19 20:34:43 by tedu Updated: 2016-05-19 20:34:43
Tagged: moviereview

file considered harmful

Yes, actually harmful.

The file utility can be useful. Don’t know what program to open a file with? Run file and it will tell you. Of course, sometimes file will be wrong and misidentify the file type. This may be inconvenient, but at least as a user you still have the option of trying to run another program.

Except when you don’t. What happens when file (or its programmatic buddy, libmagic) is not a hint, but a gatekeeper? What happens when some application determines its behavior based on the output of file?

What happens is you can’t print on Tuesday.

Or you can’t print particular documents that contain inappropriate phrases.

Or you can’t launch a browser and consequently prevent Firefox from providing ASLR enabled builds.

Something tells me these won’t be the last three bugs.

A program that helps users is useful. A program that restricts users is harmful. Run file on your computer all you want, but don’t use file to limit what I can do.

Posted 2016-05-18 18:11:51 by tedu Updated: 2016-05-18 18:11:51
Tagged: bugs rants software

the day some of the DNS stopped

For the past few months, my iPhone has had a peculiar bug. Apple services didn’t work in my house. I could listen Amazon music, but not Apple music. I could update my Facebook status, but not the Facebook app itself. I could read Apple’s website and learn about security updates in the latest version of iOS, but not download them.

If I disabled wifi, all of these things became possible. Of course, that meant burning through cellular data. And important iOS updates can’t be downloaded except via wifi. If I walked down to a Starbucks and used their wifi, I could download everything. By process of elimination, I concluded the problem was not the phone, Apple’s services, the wifi radio, etc. The problem was local to my home network. (Or perhaps somewhere one step beyond, in the ISP network, but that seemed a somewhat less likely suspect. Also, multiple other local wifi networks worked.)

Continue reading the day some of the DNS stopped...

Posted 2016-05-17 23:45:14 by tedu Updated: 2016-05-17 23:45:14
Tagged: network openbsd

this week in astounding defaults

Ripped straight from the headlines, thrilling tales of things gone wrong because nobody asked for things to go right.

You may not write assembly, but you probably use libraries from people who do. Did they remember to insert the right magic flag?

ImageMagick can and will do lots of things you neither expect nor desire. Unless, of course, you configure it otherwise.

When using node.js and socket.io, don’t forget the default is unverified sockets.

By default, Telegram uses a sophisticated identity verification system known as text the user.

If you really don’t want logging, say nop nop nop three times.

Remember, it’s all there in the manual if you just take the time to read it. Tune in next week to learn what other documentation you should have read!

Posted 2016-05-06 04:44:40 by tedu Updated: 2016-05-06 04:49:12
Tagged: rants software

regarding embargoes

Personal thoughts. To each their own.

Yesterday I jumped the gun committing some patches to LibreSSL. We receive advance copies of the advisory and patches so that when the new OpenSSL ships, we’re ready to ship as well. Between the time we receive advance notice and the public release, we’re supposed to keep this information confidential. This is the embargo. During the embargo time we get patches lined up and a source tree for each cvs branch in a precommit state. Then we wait with our fingers on the trigger.

What happened yesterday was I woke up to a couple OpenBSD developers talking about the EBCDIC CVE. Oh, it’s public already? Check the OpenSSL git repo and sure enough, there are a bunch of commits for embargoed issues. Pull the trigger! Pull the trigger! Launch the missiles! Alas, we didn’t look closely enough at the exact issues fixed and had missed the fact that only low severity issues had been made public. The high severity issues were still secret. We were too hasty.

Continue reading regarding embargoes...

Posted 2016-05-04 14:04:17 by tedu Updated: 2016-05-04 21:17:51
Tagged: security software thoughts

when i wore a younger fool's cap

A few grumpy remarks about the amazing tale of Slack bot tokens on GitHub. Auth tokens used for business accounts get committed into Jurassic Park quote bots saved on GitHub, allowing random passersby to eavesdrop on your paradigm shifting startup’s latest pivot? That didn’t happen back in my day! Of course, since then multiple changes have combined to change the world. A perfect storm of convergence and disruption.

First off, let’s start with the centralized Slack service. Even if somebody stole your chat server credentials, they wouldn’t be of much use if your chat server wasn’t in the cloud. We used to run an IRC server with no credentials at all because it was only on the internal network. Not terribly secure, but we got by. If I built an IRC bot one weekend, it wouldn’t come with credentials for a critical service because it wasn’t developed with credentials for a critical service.

Continue reading when i wore a younger fool’s cap...

Posted 2016-04-29 02:13:23 by tedu Updated: 2016-04-29 02:13:23
Tagged: rants software thoughts

a prog by any other name

What is a name, really?

Sometimes two similar programs are really the same program with two names. For example, grep and egrep are two commands that perform very similar functions and are therefore implemented as a single program. Running ls -i and observing the inode number of each file will reveal that there is only one file. Calling the program egrep is a shorthand for -E and does the same thing.

names

In fact, every program has three names: its name in the filesystem, the name it has been invoked with, and whatever it believes its own name to be. Under normal circumstances the first two will be the same, but it is possible to call execve with a path and argv[0] not in alignment. Sometimes by accident, as in mv.

Continue reading a prog by any other name...

Posted 2016-04-28 12:26:04 by tedu Updated: 2016-04-29 02:22:50
Tagged: c openbsd programming

master lock speed dial

In addition to earbuds, I have a tendency to lose padlocks. As a result, I tend to go through more of them than I should. Note to locker designers: place the loop on the inside frame instead of on the outside of the door so that after I open the door, I have somewhere to hang the lock where I won’t forget it.

Cheap combo locks have never been that secure, but since things have gone from bad to worse, I figured I’d try a new lock. Enter the Master Lock Speed Dial.

Instead of numbers, the combination is a sequence of cardinal directions. The packaging promises I can pick any combination of any length, though I doubt they have really invented an infinite data storage device. The default sequence length is only four inputs, which is far too short for my comfort and they should recommend at least eight. 4^8 combinations just tops the 40^3 of a very precisely machined 40 digit combo lock (to say nothing of less precise models). Despite the length, with very little practice it’s easy to enter the combo quickly and accurately. Trying to spin a dial too fast I would frequently over rotate and have to start again. The speed dial can be consistently unlocked one handed in about five seconds.

Programming the lock is a little weird and error prone. The sequence of unlocking, resetting, and locking must be performed in exactly the correct order or you get a lock with the wrong combo. Or no combo! Fortunately, this video explains two common mistakes, which I definitely experienced first hand.

For a look at the insides of the lock, this video reveals a little more about how it works.

Initially, the lock was very stiff to open. I couldn’t tell if I’d done the combination right or not (pretty important right after purchasing), but after some use it pulls open much more readily. On the downside, the casing is rather large and won’t fit everywhere that a smaller lock is expected to.

Posted 2016-04-27 18:41:45 by tedu Updated: 2016-04-27 18:41:45
Tagged: gadget

more input validation unnecessary

There’s a widespread belief that validating user input prevents security vulnerabilities. This is true as far as it goes, but doesn’t tell the whole story. Consider the following example, distilled from any number of real world examples.

if (!valid_input(buffer)) { free(buffer); error = BADSTUFF; goto ungood; } error = process_input(buffer); ungood: free(buffer); return error;

A not uncommon mistake. A vulnerability report may, quite accurately, say something like “Invalid inputs may result in remote code execution.” However, further input validation won’t fix this bug, nor will tweeting “This is why you always validate your inputs!” prevent future occurrences.

Lots of problems may share similar or even identical descriptions without sharing fixes. It’s a small point, really, but no less important. And of course, hardly limited to the field of security.

Posted 2016-04-25 18:14:33 by tedu Updated: 2016-04-25 18:14:33
Tagged: c programming security

libressl - more vague promises

There hasn’t been a lot of noise coming out of the LibreSSL camp recently. Mostly there’s not much to report, so any talks or presentations will recover a lot of the same material. But it’s an election year, and in that spirit, we can look back at some promises previously made and hopefully make a few new ones.

scorecard

First part of any campaign is to tout one’s record. And shift blame for any missteps.

Starting from the beginning is LibreSSL - The First 30 Days. On the positive side, most of the cleanup has been a success. We promised to delete support for obsolete systems and we did. We promised to delete obscure compat layers and build on posix and we did. We promised not to appease FIPS and we didn’t. We promised “If your Operating System can not provide you with a good source of entropy, it will NOT be LibreSSL’s job to fake it. Fix your Operating System. Not the SSL library.” and we... oh, hm. Time to call in the equivocator.

Continue reading libressl - more vague promises...

Posted 2016-04-19 17:28:00 by tedu Updated: 2016-05-14 16:38:03
Tagged: openbsd software