guest - flak

Lo and Behold

Werner Herzog reflects on the reveries of the connected world. There’s a lot of short sequences here, but not much tying it together.

We start in the building with the ugly hallways at UCLA where the first internet connection was established. The first message transmitted was supposed to be “login”, but the machine crashed after “lo”. Lo and behold.

The inventor of cut and paste doesn’t like what’s been done to it.

The internet (or perhaps just computers, the movie is somewhat fluid about the internet and networks and computers in general) drives cars, folds genes, and plays soccer.

The internet also sends a father pictures of his decapitated daughter. Coincidentally, Time’s cover story is How Trolls are ruining the Internet.

We travel to the woods to meet people with electromagnetic sensitivities. One woman sleeps on the floor because the earth’s natural frequency is 7.83 Hz. There’s also some fiddling.

People are addicted to the internet and play games while their children starve.

In 1859 there was a huge solar flare, known as the Carrington Event. If it happens again, billions of people will die.

If humans colonize Mars, we’ll communicate with them using the internet.

Kevin Mitnick is the most famous hacker at Defcon. He tells a pretty good story about a time he tried to get somebody at Motorola to upload their source code to his server, but she couldn’t because it wasn’t to a recognized IP on their network. So she talked the security officer into letting her use a proxy and complete the transfer. Humans are always the weakest link.

We talk about not talking about cyberwar. “Nod your head if you’ve heard the phrase Titan Rain.”

What does the internet dream about?

The internet of things seems unnecessary.

The robot AIpocalypse is coming.

Young people don’t think these days. They just look at numbers from a computer.

Posted 2016-08-25 01:00:09 by tedu Updated: 2016-08-25 01:00:09
Tagged: moviereview

charge this

The Times asks, Should you charge your phone overnight? The answer is obviously no. I mean, yes. Or, maybe.

As the Times points out, your phone won’t overcharge. No harm there.

But, but, but... all charging “harms” your phone. Which is both alarming and useless. What am I supposed to do? Not charge it? That’s not very useful. But apparently I can charge it if I’m replacing it in two years, which sounds like it has the cause and effect somewhat reversed. Nor does it provide me with a plan if I intend to keep it.

Finally, the article drops a hint that the real issue is that fast charging pushes a lot of current into the battery, which may shorten the lifespan. This makes some sense as I understand battery chemistry. Their suggestion to use a lower rated charger seems pretty weak however. It may work, but it’s haphazard.

Keep in mind that I am not an officially licensed li-ion whisperer.

Modern chargers switch between constant current (when the battery is low) and constant voltage (when the battery is nearing full). Refer to AnandTech charge graph.

If we want to avoid the damaging high current charging, then we should aim to charge our phones frequently, topping them up with low current charging. I believe the Times article misleadingly suggests minimizing the number of charges; i.e., letting it run down and then charging, which would actually result in the most exposure to high current charging.

Posted 2016-08-24 00:54:06 by tedu Updated: 2016-08-24 00:56:20
Tagged: gadget

New Yorker May 16

Another “Innovators Issue”. Fell a little behind in my reading, but this is a good issue with some great pieces.

A Whole New Ball Game. There’s a little robot ball called Sphero which can be used to teach kids programming and such. Although this proves challenging when the kids are young and would prefer to play with something that also makes a great toy. Learning can (should) be fun, but I’d say they’re aiming a little young when all the code that gets written is “Roll 3 seconds”. And of course the resemblance to the (wholly unnecessary) BB-8 Star Wars droid drives more demand. How much do kids really learn, or is this just tossing money at the latest fad? There’s a rather unsubstantiated claim at the end that recreating a solar system with Spheros means students are “doing really advanced math”. But what does that mean? Are they driving them in plain circles, or is it a real nine body gravity simulation? Tricking students into solving the latter, without even knowing it, would be amazing indeed.

Continue reading New Yorker May 16...

Posted 2016-08-22 04:04:10 by tedu Updated: 2016-08-22 14:33:12
Tagged: magreview

all that’s not golden

Several stories and events recently that in some way relate to backdoors and golden keys and security. Or do they? In a couple cases, I think some of the facts were slightly colored to make for a more exciting narrative. Having decided that golden keys are shitty, that doesn’t imply that all that’s shit is golden. A few different perspectives here, because I think some of the initial hoopla obscured some lessons that even people who don’t like backdoors can learn from.

Secure Boot

Microsoft added a feature to Secure Boot, accidentally creating a bypass for older versions. A sweet demo scene release (plain text) compares this incident to the FBI’s requested golden keys. Fortunately, our good friends over at the Register dug into this claim and explained some of the nuance in their article, Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea. Ha, ha, I kid.

Continue reading all that’s not golden...

Posted 2016-08-18 18:52:56 by tedu Updated: 2016-08-22 21:52:27
Tagged: security thoughts

computers for parents

Recently had the experience of getting new computers for my parents. The plan was to deliver a chromebook for my mother, but coincidentally the power supply or something in my father’s computer had given up. So mom would get new software and dad would get new hardware. Some observations.

My mother was already using chrome on a Thinkpad running Windows, so how different could it be running chrome on a chromebook? Let me count the ways...

First off, mother is one of those people who likes to click the little button at the bottom of the scroll bar to move the page. I don’t think I’ve ever done this, but that’s how she does things. So immediately upon starting up, this is a problem. I spend some time teaching her how two finger scroll works. Two fingers on the touchpad, no, not too close together, now push down, no, both fingers at once, don’t twist, straight lines, no, lift up to start over, there, nope, too close, that’s just one finger, ok, good.

Continue reading computers for parents...

Posted 2016-08-17 23:17:14 by tedu Updated: 2016-08-18 00:28:26
Tagged: computers software

connect doesn’t restart

There was an interesting bug where pkg_add failed when resizing the terminal. The bug was actually in ftp, specifically the way it calls connect. When the terminal is resized, SIGWINCH is sent, which interrupts the connect system call. Sometimes syscalls restart, but connect is not among those that do. This may be a little surprising, because the previous bug involved the server side counterpart to connect, accept. On the server, accept restarts, but on the client, connect does not.

Behind the scenes, what’s happening? As the man page says, connect “initiates a connection on a socket”. It doesn’t say much about finishing the connection, though, which may be a bit surprising. Depending on whether the socket is blocking or nonblocking, there are two ways that may happen. This all assumes TCP, which involves some interplay of SYNs and ACKs that does not take place instantaneously. (Which explains why accept behaves differently. It is never in a half connected state.)

Continue reading connect doesn’t restart...

Posted 2016-08-15 21:00:54 by tedu Updated: 2016-08-15 21:00:54
Tagged: c openbsd programming

new shadow passwd functions

Long, long ago, password hashes were kept in the /etc/passwd file. This is obviously bad because it allows users to pry into other users’ hashes, attempting to crack them. The solution was to move the real hashes to another file, called master.passwd on OpenBSD. BSD systems also turn the text passwd files into a database file so that calling getpwnam is fast even with thousands of users on a 10MHz vax.

On some systems, e.g. Linux, there are two sets of functions. Normal functions like getpwnam that open the regular passwd files, and shadow functions like getspnam that open the files with password hashes. The problem is that struct passwd and struct spwd are not the same, making it difficult to write code that can work with both variants. Everything must be written twice, even though the code will be identical except for a few characters difference.

On BSD systems, the shadowed password files were integrated into the regular functions. Calling getpwnam will first attempt to open spwd.db and if that fails, will open the world readable pwd.db file without passwords. The same set of functions can be used for authentication programs like login and for user utilities like ls.

The downside to this second approach is that user utilities run as root still open the shadow files. If one were to discover an infoleak in ls that dumped memory contents, and tricked root into running it, and then tricked root into showing the output, that may result in a leak of the password hashes. Unlikely, but ungood.

New in OpenBSD 5.9 were a set of shadow functions such as getpwnam_shadow. These are documented to open the shadow password database, although the existing functions still worked. Starting with 6.0, the default functions no longer attempt to open the shadow database. Code which wishes to check passwords needs to use the shadow flavor of functions. However, the changes are very minimal, only requiring a change to the name of a single function call.

Posted 2016-08-12 18:27:39 by tedu Updated: 2016-08-12 18:27:39
Tagged: openbsd

xautobacklight

Some newer laptops adjust the screen brightness according to ambient light in the room. This is fairly annoying in most cases, because what I really care about is the relative brightness of the screen contents. White web pages are too bright in a dark room. Fortunately, there’s a tool, Lumen, which can adjust the backlight based on actual brightness. Unfortunately, it’s for somebody else’s computer.

In order to write xautobacklight we need to do about three things. We need to measure the screen brightness (and consequently detect changes). We need to adjust the backlight to a comfortable level. And, as a bonus, we need to fiddle with the contrast.

Continue reading xautobacklight...

Posted 2016-08-09 17:33:25 by tedu Updated: 2016-08-09 19:11:10
Tagged: openbsd project x11

it’s hard work printing nothing

It all starts with a bug report to LibreSSL that the openssl tool crashes when it tries to print NULL. This bug doesn’t manifest on OpenBSD because libc will convert NULL strings to ”(null)” when printing. However, this behavior is not required, and as observed, it’s not universal. When snprintf silently accepts NULL, that simply leads to propagating the error.

There’s an argument to be made that silly error messages are better than crashing browsers, but stacking layers of sand seems like a poor means of building robust software in the long term.

As soon as development for the next release of OpenBSD restarted, some developers began testing a patch that would remove this crutch from printf.

Continue reading it’s hard work printing nothing...

Posted 2016-08-08 17:00:03 by tedu Updated: 2016-08-08 18:12:38
Tagged: c openbsd programming

random failures

Lots of examples of random numbers failing, leading to cryptographic failure.

The always classic Debian, OpenSSL, and the year of the zero.

The time Sony signed Playstation code with the same nonce and leaked the keys.

Samy phpwned session IDS.

The Bitcoin app Blockchain used random.org for entropy. Bonus giggles for not following the HTTP redirect, but actually using “301 Moved Permanently” as a random number.

The paper Mining Your Ps and Qs has pretty extensive investigation into weak keys on network devices, many of which result from poor entropy.

Continue reading random failures...

Posted 2016-08-05 18:15:21 by tedu Updated: 2016-08-19 04:19:31
Tagged: gadget security software