Just in time for stolen password database month. I am trying to reset my Comcast password and I’m having a remarkably hard time typing the same password twice. Over and over, the two passwords never match. I’m a fairly decent typist, this shouldn’t be happening. Eventually I notice the second password is always one (obscured) character longer. WTF?

Comcast has some javascripty overlay box that tells you all the rules (min length, a-z, 0-9, etc.) that hovers around until your password conforms. It appears to work by watching the input box and disappearing when you have a winner. And by work, I mean not work. When your password finally passes muster, whatever keystroke you hit gets eaten entirely and never makes it into the box. No wonder the second password never matched.

Finally solved this by typing my password one letter at a time, waiting for a character to disappear into the abyss, typing that character again, and then finishing the password. I don’t understand how this happens. You actually have to go out of your way to be this incompetent.

I have a song on my iPod, “Don’t Pull Your Love” (nonsensical fake video) by the grammatically ambiguous Hamilton, Joe Frank & Reynolds. Three dudes, four names (two first, two last). The software on my iPod Nano sees this and decides that at some point in the past some other software must have mangled up the artist name, and therefore the Nano must attempt to unmangle it. Result: appearing in both the artist directory and as the song artist I have Joe Frank & Reynolds Hamilton.

Update: It appears the iPod is not to blame, but Apple certainly is. The song was purchased through iTunes, but the artist info in the .m4a file is wrong, too. The corruption goes all the way to the top!

The album title (Hamilton, Joe Frank & Reynolds-Greatest Hits) did escape unmangled, perhaps due to the dash or perhaps because only artist names get special treatment.

Many moons ago I worked on a Windows graphical shell for Tarsnap. It never really went anywhere and I mostly forgot about it.

I was never quite sure what people wanted from such a client, which is partly why development stalled. If you just want something a little easier to use (click buttons, browse folders, etc.), I’ve got you covered. If you wanted some sort of Enterprise Workgroup management interface, I figure you already have far greater access to and familiarity with tools that can help do that than I do.

The one pain point I can imagine individual Windows users having that isn’t solved is simply getting Tarsnap running. Compiling Tarsnap from source may be outside the comfort zone of a lot of users. (As far as I know, the only way to compile or run tarsnap.exe is via cygwin.) Maybe I could host a Windows version, but do you trust me? Also there’s the problem of the cygwin dependency. It’s actually only a few DLLs which can be easily copied, but then I’m on the hook for providing the source to build cygwin1.dll, too. FWIW, once you’ve gotten tarsnap.exe built, it’s easily portable to other Windows systems that don’t have cygwin. Details in the readme.txt file.

Yesterday, Ars reported that several cell phone manufacturers have made the rather unremarkable claim that when a phone is turned off, it is off. Some of them did speculate about the possibility of some intriguing malware that causes your phone to look off even when it’s not. This was only an issue because somebody told the Washington Post that the NSA could track a phone even when it’s off.

more...

“an evil vampire squid just ate a black swan and then pooped toxic waste onto innocent homeowners.” - yummyfajitas

From time to time, the old Debian OpenSSL bug resurfaces in a conversation. Usually resulting in somebody (not everybody, but at least one person) drawing completely wrong conclusions. Many of the writeups I’ve read focused on the real bug, which is tricky, because the real code is... real. It’s scattered throughout several files and many functions. I think recreating a conceptually similar bug, but with all the code in one place, will make it easier to understand.

more...

Very early thoughts. Upgraded from the iPad 4 because that was too heavy. Almost went with the new iPad Mini, but reading magazines is a primary use case for me and I wanted something that more closely matched a real magazine in size. Also, the Mini isn’t shipping yet while the Air is sitting on my lap.

more...

Once upon a time, Google Reader shut down, and everybody scrambled to write a replacement. I didn’t actually use Reader or any RSS reader, but writing one seemed like a great idea. I’m quickly learning to regret that decision.

Let’s consider just one terribly difficult task, extracting the link to a post. Maybe the <id> element?

<id>tag:blogger.com,1999:blog-4341554630550651649.post-8843802384533935675</id>

That doesn’t look very clickable, but nobody said it should be, so let’s move on. Maybe it’s one of the aptly named <link> elements?

<link rel="replies" type="application/atom+xml" href="http://blog.cryptographyengineering.com/feeds/8843802384533935675/comments/default" title="Post Comments" />
<link rel="replies" type="text/html" href="http://blog.cryptographyengineering.com/2013/10/lets-audit-truecrypt.html#comment-form" title="65 Comments" />
<link rel="edit" type="application/atom+xml" href="http://www.blogger.com/feeds/4341554630550651649/posts/default/8843802384533935675?v=2" />
<link rel="self" type="application/atom+xml" href="http://www.blogger.com/feeds/4341554630550651649/posts/default/8843802384533935675?v=2" />
<link rel="alternate" type="text/html" href="http://feedproxy.google.com/~r/AFewThoughtsOnCryptographicEngineering/~3/R0_NjwyIhqI/lets-audit-truecrypt.html" title="Let's audit Truecrypt!" />

That last one looks promising, but it’s also kind of fucked up. Can’t I just get a normal link? Oh, here we go:

<feedburner:origLink>http://blog.cryptographyengineering.com/2013/10/lets-audit-truecrypt.html</feedburner:origLink>

Hurray! But, but, but... Nooooo, what’s this?

<feedburner:origLink>http://feedproxy.google.com/~r/AFewThoughtsOnCryptographicEngineering/~3/EIOZbNuZhXc/lets-audit-truecrypt.html</feedburner:origLink>

WTF Google? Why are there two original links? What definition of original are we using here?

(To be clear, and for even more added bonus fun, the second origLink element only shows up sometimes. Welcome to the cloud. Why be correct when you can be available?)

As per Old New Thing, a thread can start running before the function that creates it returns. The same bug can exist in a program running on OpenBSD. (The bug is not in the thread library, but the program that calls it.) Here’s a bit of code from the body of rthread.c:pthread_create.

        _spinlock(&_thread_lock);
        LIST_INSERT_HEAD(&_thread_list, thread, threads);
        _spinunlock(&_thread_lock);

        /* we're going to be multi-threaded real soon now */
        __isthreaded = 1;
        rc = __tfork_thread(&param, sizeof(param), _rthread_start, thread);
        if (rc != -1) {
                /* success */
                *threadp = thread;
                return (0);
        }

Notice that we have to put the newly allocated thread structure in the thread list before the thread itself exists, otherwise we’d be subject to the race ourselves.

The old pthread regress tests had several examples of exactly this bug because they were written against a cooperative multithreaded library. Finding and fixing those was just a little bonus fun I had while trying to track down early bugs in rthreads.

What happens when you call cprintf("name: %s\n", NULL); in C? If you’re running Apple iOS, something like this: