retiring crypt

The crypt function is a unix classic. Unfortunately, its age is showing. It’s an interface from another time, out of place on modern systems, and it’s time for OpenBSD to move on.


Continue reading retiring crypt...

Posted 2014-11-20 15:15:22 by tedu Updated: 2014-11-24 21:33:05
Tagged: openbsd software

the trouble with python and SNI

Server Name Indication is a TLS extension that allows the client to tell the server what hostname it would like to talk to. It solves, in theory, one of the issues with moving a web server with many virtual hosts to https: different hostnames need different certs.

Unfortunately, python 2.7 doesn’t support SNI much to my regret. Thanks to an HN comment I was pointed to a python issue. The problem has been known about for five years, but fixing things isn’t the python way. Finally, somebody saw the light which led to PEP 466. Current status: partially implemented.

Where does this leave me? I could upgrade to python 3.4, but none of the auxiliary libraries I need (notably py-feedparser) are available as OpenBSD packages except for versions built against 2.7. Or I can wait for python 2.7.9, although as a practical matter that would also mean upgrading OpenBSD and everything else (and likely not until May) so maybe I’d rather not. And that’s if 2.7.9 actually includes working SNI support. Digging through the issue tracker, it sounds like only optional support will be included, and programs will need to be changed and updated as well. It’s very important that upgrades don’t make things work by accident.

Instead my solution was to change the Duo blog’s URL to a file on disk, fetched by ftp running out of cron.

Posted 2014-11-16 07:28:14 by tedu Updated: 2014-11-16 07:28:14
Tagged: python rants software

from the annals of uvm

The OpenBSD virtual memory layer is known as UVM. Long, long ago it was the original BSD VM (with parts from Mach at CMU), but it was mostly replaced with UVM by Chuck Cranor. More of its history and a detailed description is in the author’s USENIX paper, The UVM Virtual Memory System.

Since then, we’ve evolved it in various ways. Unfortunately, some of the changes I made long ago have a tendency to devolve because the features introduced are subtle. This is the history of one feature in particular, its various regressions, and their fixes.

UVM basics

UVM manages two resources: virtual address space and physical memory pages. Usually you need both, but sometimes you only need one or the other. If a needed resource isn’t available, the typical solution is to sleep until it is, if in process context. In an interrupt, that’s not possible. To serialize access to a vmspace, locking is used which can also cause a process to sleep (and which must also not be acquired in interrupt context).

Continue reading from the annals of uvm...

Posted 2014-11-14 14:36:16 by tedu Updated: 2014-11-14 14:36:16
Tagged: c openbsd programming

improving bcd

Owing to its BSD heritage, OpenBSD ships with a few games installed in /usr/games. Quite a few, in fact. There are more programs in games (46) than in /bin (43). Some of them aren’t really games, but more like toys, but nevertheless there they are. They aren’t exactly the focus of OpenBSD, but they’re still part of the system and do get the occasional maintenance update.

One such game is bcd, which prints out punch card looking diagrams of input strings. I made a few improvements to it recently.

signed char

First, perhaps due to the original author’s familiarity with mainframe architectures, several parts of the code assumed that the char type was unsigned. On many common architectures, the opposite is true; char is signed. This meant that using char as index into an array would incorrectly negatively index before the array started. Piping random input into bcd should not cause it to crash, even if there’s no way to represent those bytes on a punch card.

Continue reading improving bcd...

Posted 2014-11-06 21:04:41 by tedu Updated: 2014-11-07 01:23:17
Tagged: c openbsd programming

the future sure is bleak

Watched two movies.

Automata. Starring Antonio Banderas. This starts out like some of the best Asimov robot short stories, especially Little Lost Robot. The earth is a desiccated, irradiated husk but slowly being rebuilt by robots with two Protocols. One says no harming humans. The other says no self modification. Antonio is tasked with tracking down the origins of a group of robots that apparently can modify themselves. Then the story gets sidetracked quite a bit. The evil Robo Corp henchmen decide Antonio must be in on the trouble and are sent out to get him. So much trouble could have been averted if they had even once asked him what was happening, but no. Shoot first, ask questions later. Turns a rather good mystery thriller into a boring bang bang western.

The Colony. Starring Morpheus. Like Snowpiercer the world is frozen over after a global warming reversifier. Instead of the silly train conceit, however, people live in underground bunkers like in Fallout. So far, so good. Then we get lots of contrived conflict, blood thirsty cannibals (why is it always cannibals?), and whatever. I stopped caring.

Disappointing. It’s like the producer/director for each movie got halfway through, realized they hadn’t used any of the spurting blood budget, and then decided to use it all up. But at least in terms of atmosphere and setting, they were briefly entertaining.

Two movies, two bonus comics!

The real currency of modern life is information.

How to explain the future to your past self.

Posted 2014-10-30 19:36:09 by tedu Updated: 2014-10-30 20:25:42
Tagged: moviereview

least worst golden key

The Washington Post seems to have kicked a crypto hornets nest recently, with their suggestion that Apple (and other phone manufacturers, though I’ll stick with Apple as an example) should include a golden escrow key to allow law enforcement to decrypt suspects’ phones. This provoked the expected reaction from everybody who gets it that escrow is a terrible idea. Fair enough. But what’s the least worst escrow system we can devise?

Why would we want to design such a system, given that implementing a golden key would be a disaster? Well, disaster planning is hardly a new idea. Nor does coming up with a plan for the worst case scenario necessarily mean you want it to happen. Devising fire evacuation plans for an office building doesn’t make one an arsonist. I think having a good escrow plan ready is better than having none and being forced to design one on the spot. Even worst case scenarios can be subdivided into worst worst and least worst. And so, without advocating for a key escrow system, here’s how I might go about building one.

Continue reading least worst golden key...

Posted 2014-10-11 16:11:48 by tedu Updated: 2014-10-11 16:11:48
Tagged: politics security thoughts

on the power of proprietary information

Lots of great articles in the October 13, 2014 New Yorker, all connected by the common theme of knowledge is power. Who knows what and when gives one a considerable edge. Nothing surprising, but reading about it from several perspectives reveals just how true the old saying is.

The first major article, Embrace the Irony, is about Lawrence Lessig’s quest to reform campaign finance. Not information, per se, but access is power, and asymmetrical access has about the same result as asymmetrical information. I didn’t really like this article, though; it seems to bounce around quite a bit.

Who cooks your Chinese food? Possibly (probably?) an underground worker from The Kitchen Network. There’s a lot more anecdote here than data, but the way the network operates is crazy. Pay a “work agency” some money and get a bus number and a phone number. Get on the bus, get off in the middle of nowhere, call the number, boss picks you up. You know nothing about the job before then, not even the name of the restaurant. The workers generally don’t know English, and so they are dependent on their handlers to help make arrangements and navigate the world. It’s not in the bosses’ interest to educate their workers, and even the workers don’t seem interested in helping each other, preferring to keep whatever knowledge they have to themselves.

Continue reading on the power of proprietary information...

Posted 2014-10-09 20:35:29 by tedu Updated: 2014-10-09 20:35:29
Tagged: magreview

features are faults

Reflections on a few security vulnerabilities; some recent, some less so.

Rails JSON/YAML bug (CVE-2013-0333). ShellShock (CVE-2014-6271). What do they have in common? A feature which nobody knew existed was plugged into the internet. Rails and bash were arguably working as designed. Unfortunately, parsing all the strings with all the parsers as a general operating principle turns out to have negative security implications. It sure is convenient for all zero people who know about the feature, but less so for the rest of us.

Continue reading features are faults...

Posted 2014-10-07 23:43:54 by tedu Updated: 2014-11-24 19:05:21
Tagged: security software thoughts

opting in to airport scanners

For the past few years, I’d been opting out of the new airport scanners. Initially I had several reasons for this decision, but over time things changed, and after some reflection I realized the most compelling rationale I now had each time I opted out was “I opted out last time.”

Initially I was most concerned about the possible effects of the backscatter scanners. Maybe they’re safe or maybe not, but it seemed like an untested theory at the time. I’m comfortable with the millimeter wave scanners, but keeping track of what was what seemed like a chore. Easiest to say no to the entire category. Now that the backscatter machines are only installed wherever else, but not at airports, that’s one reason down.

Continue reading opting in to airport scanners...

Posted 2014-10-07 23:43:45 by tedu Updated: 2014-10-07 23:43:45
Tagged: politics rants

funding topologies

“Startup culture starting to resemble a pyramid that has folded in on itself, exploring funding topologies Ponzi never dreamed of” - Pinboard

Funding topology is definitely a subject worthy of further research.

Posted 2014-10-03 18:24:49 by tedu Updated: 2014-10-03 18:24:49
Tagged: business quote