flak rss random

go regexp.Replace notes

I had some code which did some repeated regexp.Replace operations. This is not the best way to do things, but it worked. It wasn’t noticeably slow, but just from inspection there’s some inefficiencies. It’s possible to speed to things up without rewriting it substantially, at some cost to clarity.

more...

Posted 02 Dec 2019 11:39 by tedu Updated: 02 Dec 2019 11:39
Tagged: go programming

ryzen build (for openbsd)

I like my computers fast and light, and thus the preference for Thinkpad X1 models and the like. But recently I’ve been playing more with my Samsung ultrabook and it’s definitely a step back in the performance department. But then I thought, what if we get a really fast desktop and remote into it? The classic solving a problem by turning it into two problems.

more...

Posted 01 Dec 2019 21:57 by tedu Updated: 01 Dec 2019 21:57
Tagged: computers

wireless ear buddies

Four years ago I determined the Sony MDREX15LP were the best cheap earbuds. Since then I’ve gone through many pairs. I continued to use one pair after another (they don’t really wear out, usually I lose a pair somehow) with a lightning to headphone adapter, but that’s starting to fray after some hard living.

more...

Posted 31 Oct 2019 21:46 by tedu Updated: 01 Nov 2019 00:23
Tagged: gadget review

please note gosumdb caches 410

Starting with go 1.13, the go.mod proxy server is enabled by default. Part of, or adjacent to, the proxy is also a checksum database. It caches things, and in particular it caches negative results, which may be surprising or frustrating. One option is to avoid it entirely, but should you use the proxy, it has some caveats.

more...

Posted 24 Oct 2019 05:02 by tedu Updated: 24 Oct 2019 05:02
Tagged: go software

samsung ativ book 9

The Samsung ATIV Book 9 (note: no Plus) is a slightly older laptop from 2015, but I happened to find one on the cheap. In essence, it is the PC version of the 12 inch retina macbook. I thought it would make a good alternative travel laptop, but the usual selling price is a bit steep unless you find a good bargain. I did, so here I am and here it is.

more...

Posted 21 Oct 2019 22:35 by tedu Updated: 21 Oct 2019 23:18
Tagged: computers review

a theory of stack ranked enhancement requests

Every software project has a backlog of enhancement requests, unimplemented features. It may be explicitly tracked in a database, or perhaps just a sort of informal consensus among developers. Whether officially acknowledged or not, it exists.

more...

Posted 27 Sep 2019 16:44 by tedu Updated: 27 Sep 2019 16:44
Tagged: software thoughts

some more books 3

Complex systems are hard to debug. When there’s too many pieces for any one person to understand, how can we know what we know?

more...

Posted 23 Sep 2019 21:35 by tedu Updated: 23 Sep 2019 21:35
Tagged: bookreview

how to read a blog post that omits explanation

Some people write blog posts. Some people read blog posts. Sometimes readers find that the writers do not explain everything they expected to be explained. I typically prefer to write about things other than my own writing, but occasionally there are exceptions.

more...

Posted 05 Sep 2019 15:33 by tedu Updated: 05 Sep 2019 15:34
Tagged: rants

warning: implicit backdoor

One way to slip malicious code into a project is to hack into their build server and just drop it in. Messy. Another way is to hack a trusted developer’s machine and alter the code there so that they commit it, but it might get spotted during code review. A third way is to become a developer, then yourself commit a seemingly innocuous patch containing an obfuscated backdoor. This is sneaky. Even better is to have somebody else intentionally commit the backdoor for you.

code

Consider this code to allocate some buffers.

void *
allocatebufs(int num)
{
    size_t limit = 256;

    if (num > limit)
        return NULL;
    return malloc(num * 64);
}

This isn’t top quality code, but it’s totally safe and secure. It does however trigger a warning about signed vs unsigned comparisons. Many developers don’t like to see those. Some will even try to fix it.

void *
allocatebufs(int num)
{
    size_t limit = 256;

    if (num > (int)limit)
        return NULL;
    return malloc(num * 64);
}

Now the warning is gone. And they’ve introduced a serious security hole.

If you’re a sneaky bastard, you might write the first code and submit it, knowing that a trusted developer somewhere down the line will alter it. And you’ve got perfectly plausible deniability. Your code was secure. They introduced the bug.

thoughts

This is just a thought experiment, and you can dissect it with the razor of your choosing, but what I think is interesting is the paradox of plausibility. What happened? The most likely explanation is the mundane one, that it’s just an accident. People introduce bugs like this with alarming regularity. No reason to suspect foul play. But it’s the dependable regularity of such errors that make the attack possible. If people didn’t introduce bugs fixing harmless warnings, the attack would never succeed.

(There was a concrete incident, somewhat similar, although this is not meant to be a comment on any particular patch or fix.)

Posted 04 Sep 2019 15:18 by tedu Updated: 04 Sep 2019 15:18
Tagged: programming thoughts

some more books 2

We’ve got the band back together and we’re ready to rock!

more...

Posted 03 Sep 2019 12:54 by tedu Updated: 03 Sep 2019 12:54
Tagged: bookreview software