flak rss random

openbsd changes of note 622

Catching up to current.

more...

Posted 21 May 2017 16:41 by tedu Updated: 21 May 2017 16:41
Tagged: openbsd

experiments with prepledge

MP3 is officially dead, so I figure I should listen to my collection one last time before it vanishes entirely. The provenance of some of these files is a little suspect however, and since I know one shouldn’t open files from strangers, I’d like to take some precautions against malicious malarkey. This would be a good use for pledge, perhaps, if we can get it working.

more...

Posted 20 May 2017 16:28 by tedu Updated: 20 May 2017 16:28
Tagged: c openbsd programming

documentation is thoroughly hard

Documentation is good, so therefore more documentation must be better, right? A few examples where things may have gotten out of control.

more...

Posted 18 May 2017 20:24 by tedu Updated: 19 May 2017 02:48
Tagged: openbsd software

openbsd changes of note 621

More stuff, more fun.

more...

Posted 15 May 2017 16:23 by tedu Updated: 19 May 2017 22:28
Tagged: openbsd

observations re packet socket exploit

A few thoughts I had after reading Exploiting the Linux kernel via packet sockets. Not really about the exploit itself, but what it reveals about the state of systems security.

more...

Posted 10 May 2017 18:41 by tedu Updated: 10 May 2017 18:41
Tagged: security thoughts

HP Chrome Print fuckup du jour

Long story short, printing on a chromebook is still fucked, and now the incompetent dickheads who write drivers for HP have made things worse. With time and effort, however, one can still repair the damage. Writing this up in case somebody finds it useful, and because I have little doubt I’ll be referring to it again in the near future.

First, the problem: printing from a chromebook to a local network printer no longer works. There is an extension that used to make this possible. If one reads the reviews, one will quickly notice the many, many one star reviews saying that it doesn’t work. In particular, it used to work, but after the March 20 update it completely unhelpfully and uselessly does nothing but say “Printing unsuccessful”. That was more than a month ago. The rockstar talent at HP is apparently on tour and too busy to fix this.

Here’s the insane workaround. First we need the old version of the extension. Obviously Google will never let us have it, but there’s an archive site. Here’s the previous print extension. Download that. Rename the file to zip. Create a new folder and extract the contents of the zip file. Rename the _metadata folder to not_metadata. Open the chrome extensions panel. Delete the old HP Print extension. Flip into developer mode. Add an unpacked extension. Add back the printer IP address and rejoice.

For bonus fun, talk your mom through this procedure over the phone.

Posted 30 Apr 2017 22:00 by tedu Updated: 30 Apr 2017 22:00
Tagged: bugs rants software web

vuln disclosure and risk equilibrium

Some thoughts based on a series of tweets.

more...

Posted 19 Apr 2017 14:37 by tedu Updated: 19 Apr 2017 14:39
Tagged: security thoughts

careful with the chrome HSTS

Updated to chrome and noticed I couldn’t login to my own site.

www.tedunangst.com normally uses encryption to protect your information. When Google Chrome tried to connect to www.tedunangst.com this time, the website sent back unusual and incorrect credentials.

That’s mostly not wrong, although the “this time” is. The cert has never been fully trusted by chrome, but I click through because I’m a bad person. This time, however, there was no option to do so.

You cannot visit www.tedunangst.com right now because the website uses HSTS.

I mean, yes, I set the HSTS header, but that was with the same cert that chrome is now insisting can’t be trusted. Why in the world would you permanently store “must have trusted cert” on the basis of an untrusted cert?

I suppose this warning is too late to save anyone, but you can clear HSTS sites if necessary via chrome://net-internals/#hsts.

Posted 14 Apr 2017 18:59 by tedu Updated: 14 Apr 2017 18:59
Tagged: bugs rants web

openbsd changes of note 620

6.1 is old news.

Add 8265 and 3168 support to the iwm driver.

Zero some more kernel memory before use, to prevent padding leaks if the structures ever change.

Some changes to libtls. Allow retrieving the cert chain. This somewhat contradicts my original mandate for libtls that it not expose any gnarly X.509 details to the user, but certs are a fact of life and if you have to build a cert chain downloading tool, you’d want to use the cool API, no? Reality eventually corrupts all our dreams. Also, sneak peak, some adjustment to library internals to allow relayd’s privsep engine to work with libtls.

Give tmux clients names. There have been lots of small improvements to tmux over the past six months which haven’t seemed notable in isolation, but shoutout to all the little fixes, too.

Refinements to syslogd’s internal logging code. More consistency, less snowflake.

The neverending project to add sizes to free calls in the kernel is closer to ending.

64 bit bus address support for the msk driver, required for onboard nic in the Overdrive 1000 to work. And use MSI.

Quiesce sensors during suspend and resume so that callbacks aren’t running for detached drivers.

Introduce freezero to libc, a function that combines explicit_bzero and free, but in a potentially optimal way if the memory can be directly unmapped. Use it in a bunch of places.

Mention the installer bug that has the consequence that some users must remove a trailing /6.1 from the uri in the installurl file.

Posted 12 Apr 2017 16:27 by tedu Updated: 12 Apr 2017 16:27
Tagged: openbsd

openbsd changes of note 8

Wrapping up the best ever release.

Fix some bugs in scan_scaled. Add tests. Fix more bugs.

mandoc cgi mode redirects to better URLs.

Some fixes to vmd to handle controls sockets and TTYs and reboot and other edge cases better.

Configure and apply the multitouch-tracking functions of wsmouse.

Convert some code here and there to using recallocarray.

Improve documentation for the jungle that is sysctl.

Too many use after free bugs in USB drivers, so, for release, revert memory synchronization change to usbdi.c that only works if code elsewhere is correct.

Import dhcrelay6, a DHCPv6 relay, for people living in the past in the future.

The pledge group “ioctl” has been split into a few more targeted permissions.

Add slaacd, a Stateless Address AutoConfiguration Daemon, for people living in the future in the present.

Audio fixes for azalia on Kaby Lake processors.

A great many fixes to vmd to support guests other than OpenBSD. With seabios support, the new default, even penguins can fly.

Fix a leak of stack contents in kernel exec functions.

Kernel W^X comes to arm64.

Add “(compatible with GNU linkers)” to the lld version output so that configure scripts which only look for magic strings work.

Implement a driver for Marvell’s XHCI controller found on some arm devices.

Merge Mesa 13.0.6

TLS ticket support in httpd.

Add support for RFC4754 (ECDSA) and RFC7427 authentication to iked. Add support to reflect the responder IKEv2 COOKIE, as used by Azure.

Add signify public keys for syspatch for the current and next release.

Unlock tree, we are now hacking on 6.1-current.

Posted 05 Apr 2017 15:35 by tedu Updated: 05 Apr 2017 15:35
Tagged: openbsd