Another way to isolate untrusted media players is to run them in a virtual machine. I was joking with mlarkin that if he’s run out of things to work on, he can add audio emulation to vmd. But of course, this is actually pretty easy to do (playing sounds, not emulating audio), thanks to network support in sndiod.

The setup is fairly easy. To export the audio device on the host side, run sndiod. Or kill and restart, or whatever.

sndiod -L 10.1.0.19

On the guest side, specifying the audio device can vary by program, but the default can be set via environment variable.

env AUDIODEVICE=snd@10.1.0.19/0 mpg123 song31.mp3

And with that...

BSD fight buffer reign
Flowing blood in circuit vein
Quagmire, Hellfire, RAMhead Count
Puffy rip attacker out.

Catching up to current.

more...

MP3 is officially dead, so I figure I should listen to my collection one last time before it vanishes entirely. The provenance of some of these files is a little suspect however, and since I know one shouldn’t open files from strangers, I’d like to take some precautions against malicious malarkey. This would be a good use for pledge, perhaps, if we can get it working.

more...

Documentation is good, so therefore more documentation must be better, right? A few examples where things may have gotten out of control.

more...

More stuff, more fun.

more...

A few thoughts I had after reading Exploiting the Linux kernel via packet sockets. Not really about the exploit itself, but what it reveals about the state of systems security.

more...

Long story short, printing on a chromebook is still fucked, and now the incompetent dickheads who write drivers for HP have made things worse. With time and effort, however, one can still repair the damage. Writing this up in case somebody finds it useful, and because I have little doubt I’ll be referring to it again in the near future.

First, the problem: printing from a chromebook to a local network printer no longer works. There is an extension that used to make this possible. If one reads the reviews, one will quickly notice the many, many one star reviews saying that it doesn’t work. In particular, it used to work, but after the March 20 update it completely unhelpfully and uselessly does nothing but say “Printing unsuccessful”. That was more than a month ago. The rockstar talent at HP is apparently on tour and too busy to fix this.

Here’s the insane workaround. First we need the old version of the extension. Obviously Google will never let us have it, but there’s an archive site. Here’s the previous print extension. Download that. Rename the file to zip. Create a new folder and extract the contents of the zip file. Rename the _metadata folder to not_metadata. Open the chrome extensions panel. Delete the old HP Print extension. Flip into developer mode. Add an unpacked extension. Add back the printer IP address and rejoice.

For bonus fun, talk your mom through this procedure over the phone.

Some thoughts based on a series of tweets.

more...

Updated to chrome and noticed I couldn’t login to my own site.

www.tedunangst.com normally uses encryption to protect your information. When Google Chrome tried to connect to www.tedunangst.com this time, the website sent back unusual and incorrect credentials.

That’s mostly not wrong, although the “this time” is. The cert has never been fully trusted by chrome, but I click through because I’m a bad person. This time, however, there was no option to do so.

You cannot visit www.tedunangst.com right now because the website uses HSTS.

I mean, yes, I set the HSTS header, but that was with the same cert that chrome is now insisting can’t be trusted. Why in the world would you permanently store “must have trusted cert” on the basis of an untrusted cert?

I suppose this warning is too late to save anyone, but you can clear HSTS sites if necessary via chrome://net-internals/#hsts.

6.1 is old news.

Add 8265 and 3168 support to the iwm driver.

Zero some more kernel memory before use, to prevent padding leaks if the structures ever change.

Some changes to libtls. Allow retrieving the cert chain. This somewhat contradicts my original mandate for libtls that it not expose any gnarly X.509 details to the user, but certs are a fact of life and if you have to build a cert chain downloading tool, you’d want to use the cool API, no? Reality eventually corrupts all our dreams. Also, sneak peak, some adjustment to library internals to allow relayd’s privsep engine to work with libtls.

Give tmux clients names. There have been lots of small improvements to tmux over the past six months which haven’t seemed notable in isolation, but shoutout to all the little fixes, too.

Refinements to syslogd’s internal logging code. More consistency, less snowflake.

The neverending project to add sizes to free calls in the kernel is closer to ending.

64 bit bus address support for the msk driver, required for onboard nic in the Overdrive 1000 to work. And use MSI.

Quiesce sensors during suspend and resume so that callbacks aren’t running for detached drivers.

Introduce freezero to libc, a function that combines explicit_bzero and free, but in a potentially optimal way if the memory can be directly unmapped. Use it in a bunch of places.

Mention the installer bug that has the consequence that some users must remove a trailing /6.1 from the uri in the installurl file.