guest - flak

meaningful short names

Why don’t unix commands have any vowels in the name? cp and mv are obviously devoweled standins for copy and move. But they’re less intuitive for new users. The user wants to copy a file. Why shouldn’t the name of the command be exactly the operation the user wants to perform?

What exactly does the user want to do? Instead of copying files, maybe I want to link two files. What does that mean? In unix, we have hard links and symbolic links. If I replace the “original” file, do I want the link to refer to the original file or the replacement? Or maybe what I mean by link two files is to combine two object files into an executable. Do we call that loading instead? ln is the name of a command, but link is the name of a concept.

grep is a remarkably useful tool, but with most unintuitive name. Why not call it find like Windows does? I want to find some text, I run find. So obvious. But some users may want to find files in the filesystem, not strings in a file. What command do they run? Probably locate.

There may be a great deal of historical accident in the names of commands (what if the inventors of awk had different initials?), but that doesn’t mean we can’t recognize the value of unique and precise identifiers.

Posted 2017-03-03 02:31:53 by tedu Updated: 2017-03-03 02:31:53
Tagged: rants software

chromebook printing troubles

I have a chromebook which is quite nice for what it does. A dedicated browsing machine, fast and low maintenance. Alas, I am sometimes required to go outside, and worse yet talk to people, and even worster, show those people information. It is inconvenient to hand over my phone, no rotate it back, your other yaw, scroll a little, here, oh wait, let me unlock it again. I print such things on paper. Double alas, the chromebook makes this difficult.

Something they don’t mention in the advertising for chromebooks is what the printing experience is like. I also forgot to ask because I figure if I can make OpenBSD print, someone on team chrome should be able to solve this problem as well. And oh boy, have they ever. Solved it, I mean. Not solved it well.

Continue reading chromebook printing troubles...

Posted 2016-10-24 19:41:17 by tedu Updated: 2016-10-24 19:41:17
Tagged: computers rants software

cloudflare and rss

Let’s say somebody has a blog that I’d like to read. Subscribe to even. Let’s say they have an RSS link on their page. This should be easy.

Now let’s say the blog in question is hosted/proxied/whatever by Cloudflare. Uh oh.

Just reading the blog in my browser is now somewhat hampered because Cloudflare thinks I’m some sort of cyberterrorist and requires my browser to run a javascript anti-turing test. But eventually the blog loads, I read it, click the RSS link to subscribe, see that it is in fact XML rendered in my browser, and copy the link.

I paste the link into my RSS reader, optimistically hoping to see new links arrive. But they never do. Check the logs. Seems I’m getting 503 server errors, which is Cloudflare’s way of saying, “It’s not us; it’s you. And fuck off.”

Apparently my feed fetcher is also a cyberterrorist. It’s also written in python and can’t solve browser detecting riddles because it doesn’t include a javascript engine because OMG why would fetching an RSS feed require javascript?

Now I’m somewhat less inclined to read said blog, but hey, at least the internet is being kept fast and secure from miscreants like me.

Posted 2016-09-16 04:59:40 by tedu Updated: 2016-10-05 17:59:11
Tagged: rants web

one reason to hate openbsd

The gcc-local man page, which documents local changes to the compiler has this to say.

The -O2 option does not include -fstrict-aliasing, as this option causes issues on some legacy code. -fstrict-aliasing is very unsafe with code that plays tricks with casts, bypassing the already weak type system of C.

What does this mean and why should you care? The first part is easy to answer. Long ago, in the dark ages when legacy code was written, people used to write functions like this:

float superbad(float f) { int *x = (int *)&f; *x = 0x5f3759df - ( *x >> 1 ); return f; }

The C standard clearly says that objects are not to be accessed through incompatible pointers, but people did it anyway. Fucking idiots.

As for why one should care about the default setting of the compiler, the best answer I can give is that if you’re in a position to care, you probably know more than enough to form your own opinion and don’t need me to explain it to you. Otherwise, nobody cares except to the extent it confirms one’s own biases.

The strict aliasing optimization is disabled in gcc 4.2 because it was disabled in gcc 3.3. It was disabled in gcc 3.3 because it was disabled in gcc 2.95. It was disabled in gcc 2.95 because it was the year 1999.

The gcc-local man page continues with even more stupid options.

The -O2 option does not include -fstrict-overflow, as this option causes issues on some legacy code. -fstrict-overflow can cause surprising optimizations to occur, possibly deleting security critical overflow checks.

Lame.

The Strict Aliasing Situation Is Pretty Bad.

Posted 2016-07-25 12:52:07 by tedu Updated: 2016-09-08 13:06:33
Tagged: c openbsd rants

best of seven elections

Here’s a proposal for a new voting system that solves the problems of day after regret and “I didn’t think it mattered” common to current voting systems. Over the course of seven days, seven independent elections are held, each with the same ballots. The results of each election are calculated separately, and the ultimate winner is the best of seven, or four. As an added wrinkle, each voter will be restricted to voting three times, although they may choose any three of the seven to participate in.

First, this solves the problem of voter regret. If, after your first vote, you realize you hung the wrong chad, casting the balance of the two remaining votes in opposition will effectively reverse it.

Second, it allows apathetic voters to see which way the wind is blowing. If the first few votes turn out to be very close, then newly interested voters will have the opportunity to express their opinion in the later elections. Turn out the vote campaigns will be freshly energized by demonstrating how important each vote is. On the other hand, if the results can be decided early, those voters can spend their valuable time playing LoL.

Motivated voters can choose to vote early, in the vanguard, in an effort to establish momentum. Others may choose to hang back deliberately, saving their votes for a knock out in the later rounds.

Additionally, if a voter is unable to vote on a particular day because little Timmy fell down the well, this system provides them with multiple opportunities to cast a makeup vote (barring any last day mishaps).

Sounds like a plan?

Posted 2016-06-25 21:05:59 by tedu Updated: 2016-06-25 21:20:26
Tagged: politics rants

file considered harmful

Yes, actually harmful.

The file utility can be useful. Don’t know what program to open a file with? Run file and it will tell you. Of course, sometimes file will be wrong and misidentify the file type. This may be inconvenient, but at least as a user you still have the option of trying to run another program.

Except when you don’t. What happens when file (or its programmatic buddy, libmagic) is not a hint, but a gatekeeper? What happens when some application determines its behavior based on the output of file?

What happens is you can’t print on Tuesday.

Or you can’t print particular documents that contain inappropriate phrases.

Or you can’t launch a browser and consequently prevent Firefox from providing ASLR enabled builds.

Something tells me these won’t be the last three bugs.

A program that helps users is useful. A program that restricts users is harmful. Run file on your computer all you want, but don’t use file to limit what I can do.

Posted 2016-05-18 18:11:51 by tedu Updated: 2016-05-18 18:11:51
Tagged: bugs rants software

this week in astounding defaults

Ripped straight from the headlines, thrilling tales of things gone wrong because nobody asked for things to go right.

You may not write assembly, but you probably use libraries from people who do. Did they remember to insert the right magic flag?

ImageMagick can and will do lots of things you neither expect nor desire. Unless, of course, you configure it otherwise.

When using node.js and socket.io, don’t forget the default is unverified sockets.

By default, Telegram uses a sophisticated identity verification system known as text the user.

If you really don’t want logging, say nop nop nop three times.

Remember, it’s all there in the manual if you just take the time to read it. Tune in next week to learn what other documentation you should have read!

Posted 2016-05-06 04:44:40 by tedu Updated: 2016-05-06 04:49:12
Tagged: rants software

when i wore a younger fool’s cap

A few grumpy remarks about the amazing tale of Slack bot tokens on GitHub. Auth tokens used for business accounts get committed into Jurassic Park quote bots saved on GitHub, allowing random passersby to eavesdrop on your paradigm shifting startup’s latest pivot? That didn’t happen back in my day! Of course, since then multiple changes have combined to change the world. A perfect storm of convergence and disruption.

First off, let’s start with the centralized Slack service. Even if somebody stole your chat server credentials, they wouldn’t be of much use if your chat server wasn’t in the cloud. We used to run an IRC server with no credentials at all because it was only on the internal network. Not terribly secure, but we got by. If I built an IRC bot one weekend, it wouldn’t come with credentials for a critical service because it wasn’t developed with credentials for a critical service.

Continue reading when i wore a younger fool’s cap...

Posted 2016-04-29 02:13:23 by tedu Updated: 2016-04-29 02:13:23
Tagged: rants software thoughts

the future is arriving too fast

Because I am old, sometimes instead of watching new original content, I want to watch old preexisting content which is not available on Netflix or any other streaming service. Fortunately, there is a solution. Netflix also has a service which will mail me plastic circles that I can watch by putting them in my plastic circle player. I can manage the queue of such circles by using my browser. Ah, the wonders of technology.

Also because I am old, sometimes I go talk with other old people, in person, at bars and such. Mostly we reminisce about the old days, when we had to seduce people with words instead of pictures of our junk. But sometimes the conversation turns to entertainment, such as movies. Somebody might claim that Jupiter Ascending by the Wachowskis is the spiritual successor to The Matrix. This is obviously a claim that needs to be seen to be believed. (Though I recommend neither seeing nor believing.)

Continue reading the future is arriving too fast...

Posted 2016-04-06 18:35:40 by tedu Updated: 2016-04-06 18:35:40
Tagged: business rants web

when preloads go sideways

How hard is it to preload a PC with the software it needs to work? Really fucking hard.

superfish

Some time ago, Lenovo shipped some computers with a surprise gift: SuperFish. I like to imagine the business development units from each company in a meeting:

Superfish: It will add value!

Lenovo: How does that work exactly?

You give us customer eyeballs. In return, we give you money. Money is value.

But how does that add value for the customer?

Well, it’s their eyeballs we’re buying. Do the math!

Sold!

aftermath

Afterwards, we’d naturally expect various other vendors to take a look at the giftware they were bundling. Hahaha. Instead of actually changing anything about their product, Dell just updated their website:

Continue reading when preloads go sideways...

Posted 2016-01-22 21:09:22 by tedu Updated: 2016-01-22 21:09:22
Tagged: bugs rants security software

moderation in moderation

William “the Jar” Mason is a semi famous programmer. Mostly retired, but his website still has some classic postings from early days working on essential software tools like vi and lynx. Unzealous Association is a link aggregator popular among people who like to read Mason’s articles.

The trouble begins one day when wjm decides that UA sends too much traffic his way. Like a denial of service. And so wjm responds by redirecting anyone with a referer of UA to a picture of a roast ham. (This is probably an overreaction. It’s not really the UA users at fault, but the many aggressively stupid bots that scrape all linked sites. But it has the desired effect of keeping links to wjm’s site off the front page.)

This action is not without collateral damage. It’s not just that headline links disappear, but also less trafficked links in comments are affected. This then incites an unhelpful mini thread on UA about how the internet works.

The UA response is to autokill any comments linking to wjm. The comment is hidden from most users, but remains visible to the author without any indication of what went wrong. (Also Known as hellbanning, the nuclear option of troll containment.)

There are a couple other ways this could have played out. Possibly, if the UA software can detect wjm links in order to kill them, it could also skip adding the <a> tags. Users who cut and paste the link don’t have referer headers. Problem solved. Another option might be to simply ride it out and see if the complaint threads dissipate. Maybe wjm will even change his mind some day.

Unfortunately, when all you have is a trollhammer, all you see are trolls.

Posted 2015-12-21 15:35:00 by tedu Updated: 2015-12-21 15:35:00
Tagged: rants web

pinboard tips for web design

A few funnies sprinkled with a bit of insight and disappointment. And regret.

It’s 2015. Your team has to wake up determined and put in one hell of a work week to get web pages to render slowly. And yet so many succeed. tweet.

My modest proposal: your website should not exceed in file size the major works of Russian literature. Anna Karenina, for example, is 1.8 MB. tweet.

If your design team insists on including a lot of Javascript cruft and CSS resets, make them write it all out longhand with a quill pen. tweet.

Continue reading pinboard tips for web design...

Posted 2015-11-04 06:10:03 by tedu Updated: 2016-01-01 14:04:24
Tagged: quote rants web

reproducible builds are a waste of time

Sort of. Maybe. It depends.

Yesterday I read an article on Motherboard about Debian’s plan to shut down 83% of the CIA with reproducible builds. Ostensibly this defends against an attack where the compiler is modified to insert backdoors in the packages it builds. Of course, the defense only works if only some of the compilers are backdoored. The article then goes off on a bit of a tangent about self propagating compiler backdoors, which may be theoretically possible, but also terribly, unworkably fragile.

I think the idea is that if I’m worried about the CIA tampering with Debian, I can rebuild everything myself from source. Because there’s no way the CIA would be able to insert a trojan in the source package. Then I check if what I’ve built matches what they built. If I were willing to do all that, I’m not sure why I need to check that the output is the same. I would always build from scratch, and ignore upstream entirely. I can do this today. I don’t actually need the builds to match to feel confident that my build is clean. Perhaps the idea is that a team of incorruptible volunteers will be building and checking for me, much like millions of eyeballs are carefully reviewing the source to all the software I run.

Continue reading reproducible builds are a waste of time...

Posted 2015-09-08 17:55:54 by tedu Updated: 2015-09-19 20:19:36
Tagged: rants security software thoughts

bad robot

The best part of running your own server is definitely reviewing the logs. There are a lot of silly people out there, and each and every one of them has written a program that would like to visit your server.

The fun comes from watching each bot, then trying to guess the nature of the bug.

Continue reading bad robot...

Posted 2015-08-04 11:34:08 by tedu Updated: 2015-08-04 11:34:08
Tagged: rants software web

rolling expired certs

This wasn’t the post I intended to write today, but then I noticed that the certificate for www.tedunangst.com had expired, and repairing that became a prerequisite for getting anything else done. At the time, my first snarky thought upon discovering Firefox wouldn’t let me connect to my site anymore was “Oh, hurray, don’t I feel safe.” Then I went through the update nonsense and thought a bit more seriously about it.

My cert expired after a year because that seems to be the thing to do. I imagine there’s some nebulous threat model where somebody stole my server key and has been impersonating me for the past six months, but now they can’t. Although, if they stole the old key, they can probably steal the new key. I suppose we do this because revocation doesn’t work, but a six month half life is a long time to sit exposed.

Continue reading rolling expired certs...

Posted 2015-07-08 18:46:29 by tedu Updated: 2015-07-08 18:46:29
Tagged: rants security web

why did my fans come on?

Browsing the web for a bit, noticed the laptop fan come on. This is quite unusual on my new X1 Carbon, but maybe there’s some eyeball counting javascript gone wild? Close the tab, fans stay on. More unusual.

Run top. Mysteriously, the system is busy but all the processes seem idle. Watch it a bit more, pound the spacebar, and finally notice the occasional login_passwd flickering among the top processes. There’s probably a more scientific means to discover what’s up, but this worked well enough. I’m not logging in, so who is? Check /var/log/authlog.

Apr 5 08:08:10 carbolite sshd[15309]: Failed password for root from 43.255.190.148 port 50211 ssh2 Apr 5 08:08:10 carbolite sshd[15309]: Failed password for root from 43.255.190.148 port 50211 ssh2 Apr 5 08:08:10 carbolite sshd[30446]: Failed password for root from 43.255.190.154 port 49092 ssh2 Apr 5 08:08:11 carbolite sshd[15309]: Failed password for root from 43.255.190.148 port 50211 ssh2 Apr 5 08:08:11 carbolite sshd[30446]: Failed password for root from 43.255.190.154 port 49092 ssh2 Apr 5 08:08:11 carbolite sshd[30446]: Failed password for root from 43.255.190.154 port 49092 ssh2

Ah, yes, of course. That would make the fans go.

root:$2b$12$criWVll1Nov9AXQpDU2GyO/tczU87cNGYcWpcUyQx/zimHWA7HgjC:0:0:daemon:0:0:Charlie &:/root:/bin/ksh

At close to half a second per guess, 3 guesses per second will keep things busy.

carbolite:/var/log> grep "root from 43.255" authlog | wc 2056 28784 205001

And that will keep things warm.

Usually my laptop is safe and sound inside my network and not prone to remote thermal control, but it happened to be connected to a public net today. How else would anyone hunt for root’s Easter Eggs?

Posted 2015-04-05 16:01:06 by tedu Updated: 2015-04-05 19:55:59
Tagged: openbsd rants security

invented by openbsd

The primary product of the OpenBSD project is the OpenBSD operating system, but sometimes other artifacts are produced as byproducts. Avant-garde web site design, funny email threads. Also, reusable code that can be beneficial to other developers, outside the strict confines of OpenBSD.

Unfortunately, sometimes this code doesn’t see the widest distribution. Often this can be the result of Not Invented Here syndrome, though other times it takes the appearance of a more pernicious problem. Invented by OpenBSD.

It was brought to my attention that NetBSD recently imported two OpenBSD functions, but reimplemented them in such a way as to be dangerously incompatible.

reallocarray

Continue reading invented by openbsd...

Posted 2015-03-10 07:03:09 by tedu Updated: 2015-03-17 02:43:31
Tagged: openbsd rants software

the wiki box is out of control

I’m guessing only a few wikipedia editors view articles about smartphones using a smartphone.

At least now I know the iPhone 6 has a slate form factor.

Posted 2015-02-15 10:25:36 by tedu Updated: 2015-02-15 10:25:36
Tagged: rants

twitter spam problem

It’s still fashionable to explain why (random internet company) is going downhill, right? Here’s why Twitter sucks. They have a spam problem and they’re not doing anything about it.

I occasionally search twitter for OpenBSD. Unfortunately, it’s been taken over by ad bots. Is it necessary to do the realtime search? Often times, yes. Otherwise Twitter tends to keep showing me the same set of tweets from last week over and over.

Exhibit 1:

How can Twitter not detect bullshit accounts like this? You can try reporting them, which I have, but obviously that has had no effect.

For more giggles, exhibit 2:

When the name of the account even includes the word spam, surely that must be a hint?

Update

Twitter does have a spam filter! After posting this tweet I was notified I was posting too much spam and my account was locked.

Hi Ted Unangst, Your account appears to have exhibited automated behavior that violates the Twitter Rules.

Nothing to worry about. Twitter’s spam team is on the ball.

Posted 2015-02-01 02:44:23 by tedu Updated: 2015-02-11 00:48:04
Tagged: rants web