I presented a talk about signify at BSDCan on Friday. It went really well; during and after the talk many people told me I was wrong.

more...

I generally like my iPhone. I think it’s fairly secure, and Apple seems pretty motivated to keep it that way (even if they don’t have the purest intentions, caring perhaps more about jailbreaking than my safety). But the way the way they go about releasing security fixes is terrible.

Highlighting two lines from a preview of iOS 8.3. First:

“As always, it’s a good idea to wait a few days to see if the update causes any problems.”

Sound advice. My phone is pretty important. I don’t like when it doesn’t work.

“As always, the iOS update includes a slew of security fixes.”

Cupertino, we have a problem.

I figure 24 hours is about the amount of time it takes from a security patch to be released until weaponized exploits show up. After that, if you’re not patched, you’re living dangerously, depending on the nature of the bug. Bundling new features with a high risk of regression with security fixes means users wait to upgrade.

The iOS 8.3 update is 280MB. It can’t even be downloaded over the air, only via wifi. Security patches are important enough that they should always be made available separately. Then I could download them, even OTA, without fear of regression.

What aggravates me most is that this is business as usual. As always. We’re training people not to patch. Users should be embarrassed to admit they’re running unpatched software; instead it’s regarded as the prudent choice.

Browsing the web for a bit, noticed the laptop fan come on. This is quite unusual on my new X1 Carbon, but maybe there’s some eyeball counting javascript gone wild? Close the tab, fans stay on. More unusual.

Run top. Mysteriously, the system is busy but all the processes seem idle. Watch it a bit more, pound the spacebar, and finally notice the occasional login_passwd flickering among the top processes. There’s probably a more scientific means to discover what’s up, but this worked well enough. I’m not logging in, so who is? Check /var/log/authlog.

Apr  5 08:08:10 carbolite sshd[15309]: Failed password for root from 43.255.190.148 port 50211 ssh2
Apr  5 08:08:10 carbolite sshd[15309]: Failed password for root from 43.255.190.148 port 50211 ssh2
Apr  5 08:08:10 carbolite sshd[30446]: Failed password for root from 43.255.190.154 port 49092 ssh2
Apr  5 08:08:11 carbolite sshd[15309]: Failed password for root from 43.255.190.148 port 50211 ssh2
Apr  5 08:08:11 carbolite sshd[30446]: Failed password for root from 43.255.190.154 port 49092 ssh2
Apr  5 08:08:11 carbolite sshd[30446]: Failed password for root from 43.255.190.154 port 49092 ssh2

Ah, yes, of course. That would make the fans go.

root:$2b$12$criWVll1Nov9AXQpDU2GyO/tczU87cNGYcWpcUyQx/zimHWA7HgjC:0:0:daemon:0:0:Charlie &:/root:/bin/ksh

At close to half a second per guess, 3 guesses per second will keep things busy.

carbolite:/var/log> grep "root from 43.255" authlog | wc  
    2056   28784  205001

And that will keep things warm.

Usually my laptop is safe and sound inside my network and not prone to remote thermal control, but it happened to be connected to a public net today. How else would anyone hunt for root’s Easter Eggs?

The OpenBSD 5.7 release is still a month away, but the changes have been done for some time. The release page lists lots of changes, though certainly not all, and sometimes it’s hard to tell the big changes from the small changes. Annoying perhaps, but rewarding to someone who reads through the entire list looking for hidden gems. A few notes about changes I found personally interesting.

more...

Security may be a process, not a product, but security patches are definitely a product. Some reflections on a few recent experiences making security sausage, er, patches.

more...

The primary product of the OpenBSD project is the OpenBSD operating system, but sometimes other artifacts are produced as byproducts. Avant-garde web site design, funny email threads. Also, reusable code that can be beneficial to other developers, outside the strict confines of OpenBSD.

more...

Some early followup from efforts to improve browser security with more details about possible refinements to W^X.

more...

WTF is this? No, this is not a git mirror. Not here, not there, not anywhere.

more...

What’s the difference between the following length and pointer pairs?

more...

I’m guessing only a few wikipedia editors view articles about smartphones using a smartphone.

At least now I know the iPhone 6 has a slate form factor.