Veracode has a new blog post, A Tale of Two Compilers, about differing behavior when two compilers are faced with a subtle buffer overflow. It’s somewhat tangential to the main point, but I noticed that even though the compilers Veracode tested had stack overflow protection enabled, neither detected the bug or prevented the exploit. Detection and prevention of precisely this bug was a headline feature of the original ProPolice implementation. The version of gcc used in OpenBSD has changed several times since then, so I tested it to make sure it still works.

more...

While writing about sem_open, I initially used the word performant, until spell check complained. The internet confirms it’s not a real word, despite being easily understood. Suggested replacements are fast or efficient, but neither captures the entire range of meaning that performant has. One could say fast and efficient, but that sounds redundant and wordy. Why use three words when one will suffice? (I settled on efficient.)

It’s like somebody revokes the word status from lanky and says to use tall or skinny. Or tall and skinny. How about using the word that means what I want?

Dictionary be damned, I’m going to start using performant. It’s a perfectly performant word.

Support for shared named semaphores, ala sem_open, recently arrived in OpenBSD. (OpenBSD already supported single process thread shared semaphores, ala sem_init, and the old school SysV semaphores, ala semget.) There are still a few tweaks being made, but the internal design hasn’t changed in 24 hours so I figure it’s safe to discuss the implementation.

more...

Just in time for stolen password database month. I am trying to reset my Comcast password and I’m having a remarkably hard time typing the same password twice. Over and over, the two passwords never match. I’m a fairly decent typist, this shouldn’t be happening. Eventually I notice the second password is always one (obscured) character longer. WTF?

Comcast has some javascripty overlay box that tells you all the rules (min length, a-z, 0-9, etc.) that hovers around until your password conforms. It appears to work by watching the input box and disappearing when you have a winner. And by work, I mean not work. When your password finally passes muster, whatever keystroke you hit gets eaten entirely and never makes it into the box. No wonder the second password never matched.

Finally solved this by typing my password one letter at a time, waiting for a character to disappear into the abyss, typing that character again, and then finishing the password. I don’t understand how this happens. You actually have to go out of your way to be this incompetent.

I have a song on my iPod, “Don’t Pull Your Love” (nonsensical fake video) by the grammatically ambiguous Hamilton, Joe Frank & Reynolds. Three dudes, four names (two first, two last). The software on my iPod Nano sees this and decides that at some point in the past some other software must have mangled up the artist name, and therefore the Nano must attempt to unmangle it. Result: appearing in both the artist directory and as the song artist I have Joe Frank & Reynolds Hamilton.

Update: It appears the iPod is not to blame, but Apple certainly is. The song was purchased through iTunes, but the artist info in the .m4a file is wrong, too. The corruption goes all the way to the top!

The album title (Hamilton, Joe Frank & Reynolds-Greatest Hits) did escape unmangled, perhaps due to the dash or perhaps because only artist names get special treatment.

Many moons ago I worked on a Windows graphical shell for Tarsnap. It never really went anywhere and I mostly forgot about it.

I was never quite sure what people wanted from such a client, which is partly why development stalled. If you just want something a little easier to use (click buttons, browse folders, etc.), I’ve got you covered. If you wanted some sort of Enterprise Workgroup management interface, I figure you already have far greater access to and familiarity with tools that can help do that than I do.

The one pain point I can imagine individual Windows users having that isn’t solved is simply getting Tarsnap running. Compiling Tarsnap from source may be outside the comfort zone of a lot of users. (As far as I know, the only way to compile or run tarsnap.exe is via cygwin.) Maybe I could host a Windows version, but do you trust me? Also there’s the problem of the cygwin dependency. It’s actually only a few DLLs which can be easily copied, but then I’m on the hook for providing the source to build cygwin1.dll, too. FWIW, once you’ve gotten tarsnap.exe built, it’s easily portable to other Windows systems that don’t have cygwin. Details in the readme.txt file.

Yesterday, Ars reported that several cell phone manufacturers have made the rather unremarkable claim that when a phone is turned off, it is off. Some of them did speculate about the possibility of some intriguing malware that causes your phone to look off even when it’s not. This was only an issue because somebody told the Washington Post that the NSA could track a phone even when it’s off.

more...

“an evil vampire squid just ate a black swan and then pooped toxic waste onto innocent homeowners.” - yummyfajitas

From time to time, the old Debian OpenSSL bug resurfaces in a conversation. Usually resulting in somebody (not everybody, but at least one person) drawing completely wrong conclusions. Many of the writeups I’ve read focused on the real bug, which is tricky, because the real code is... real. It’s scattered throughout several files and many functions. I think recreating a conceptually similar bug, but with all the code in one place, will make it easier to understand.

more...

Very early thoughts. Upgraded from the iPad 4 because that was too heavy. Almost went with the new iPad Mini, but reading magazines is a primary use case for me and I wanted something that more closely matched a real magazine in size. Also, the Mini isn’t shipping yet while the Air is sitting on my lap.

more...