A week of cautionary tales.

more...

EuroBSDCon in two weeks. Be sure to attend early and often.

more...

B it is.

more...

One of the great tools in the unix toolbox is yacc. Regrettably, the documentation can be somewhat weak. The OpenBSD man page covers command line options, but doesn’t even provide a reference to the grammar of the input file. For that, one must read Stephen Johnson’s paper, Yacc: Yet Another Compiler-Compiler. It’s pretty good, and there’s some other tutorials out there, but perhaps it’s worth highlighting a few tips and tricks.

more...

The hackers, they thonned.

more...

Week X.

more...

Fifty years ago today, Burt Munro rode a motorcycle really really fast. Setting a world record that has stood for fifty years, working by himself on an ancient machine, required quite a bit of dedication. There’s a movie version of the story, The World’s Fastest Indian, which is perhaps a bit simplistic and of course dramatic, though still more or less accurately capturing the idea of perseverance. Real life Munro was apparently quite a bit more difficult than the ever cheerful Hopkins, but I suspect that helped too.

It’s a good reminder of what’s possible for someone who keeps working away at a problem. He didn’t have access to extravagant funding or other resources, but he found his niche and kept at it. Incremental progress over lots of time results in lots of progress. Try to make one thing a little bit better everyday.

From card loaders to virtual servers.

more...

Smaller is better.

more...

In reference to arbitrary code execution in various source control programs. Refer svn advisory. Remember A Fire Upon the Deep?

There’s some code archaeologists who dig up an artifact. They don’t know what it does, but it includes some instructions for how to unpack it. And so they follow the instructions. And they think they’re taking precautions to prevent it from doing bad stuff, but they screw up, and the evil AI is turned loose. And then bad stuff happens.

It’s funny how similar this is to today’s vulnerability. In theory, checking out a code repo should be a safe operation. All you’re doing is downloading some artifact from a server. Building the code, running the code, all that can be unsafe. But surely there’s no trouble to simply checking out some code?

Alas, a repo is not just a repo. Checking out a repo might require checking out other sub repos and external resources. And so a dumb read only artifact is actually a smart read/execute artifact. The artifact can’t be checked out without also interpreting some of its contents. And if interpreting happens to execute some unwanted shell commands... Bad stuff happens.

It’s a bug, and it’s fixed, but another lesson that nothing is ever simple when adding features. What looks like just a hostname over here could be interpreted as a shell command over there.