flak rss random

books chapter twelve

A week of cautionary tales.

more...

Posted 16 Sep 2017 03:31 by tedu Updated: 16 Sep 2017 03:31
Tagged: bookreview

openbsd changes of note 628

EuroBSDCon in two weeks. Be sure to attend early and often.

more...

Posted 07 Sep 2017 16:31 by tedu Updated: 07 Sep 2017 16:35
Tagged: openbsd

books chapter eleven

B it is.

more...

Posted 04 Sep 2017 20:13 by tedu Updated: 04 Sep 2017 20:13
Tagged: bookreview

yet another introduction to yacc

One of the great tools in the unix toolbox is yacc. Regrettably, the documentation can be somewhat weak. The OpenBSD man page covers command line options, but doesn’t even provide a reference to the grammar of the input file. For that, one must read Stephen Johnson’s paper, Yacc: Yet Another Compiler-Compiler. It’s pretty good, and there’s some other tutorials out there, but perhaps it’s worth highlighting a few tips and tricks.

more...

Posted 30 Aug 2017 17:20 by tedu Updated: 30 Aug 2017 17:20
Tagged: openbsd programming

openbsd changes of note 627

The hackers, they thonned.

more...

Posted 28 Aug 2017 16:12 by tedu Updated: 28 Aug 2017 16:12
Tagged: openbsd

books chapter ten

Week X.

more...

Posted 26 Aug 2017 21:32 by tedu Updated: 26 Aug 2017 21:32
Tagged: bookreview

fifty years ago

Fifty years ago today, Burt Munro rode a motorcycle really really fast. Setting a world record that has stood for fifty years, working by himself on an ancient machine, required quite a bit of dedication. There’s a movie version of the story, The World’s Fastest Indian, which is perhaps a bit simplistic and of course dramatic, though still more or less accurately capturing the idea of perseverance. Real life Munro was apparently quite a bit more difficult than the ever cheerful Hopkins, but I suspect that helped too.

It’s a good reminder of what’s possible for someone who keeps working away at a problem. He didn’t have access to extravagant funding or other resources, but he found his niche and kept at it. Incremental progress over lots of time results in lots of progress. Try to make one thing a little bit better everyday.

Posted 26 Aug 2017 19:08 by tedu Updated: 26 Aug 2017 19:08
Tagged: thoughts

books chapter nine

From card loaders to virtual servers.

more...

Posted 18 Aug 2017 17:13 by tedu Updated: 18 Aug 2017 17:13
Tagged: bookreview

books chapter eight

Smaller is better.

more...

Posted 12 Aug 2017 21:01 by tedu Updated: 12 Aug 2017 21:01
Tagged: bookreview

a repo upon the deep

In reference to arbitrary code execution in various source control programs. Refer svn advisory. Remember A Fire Upon the Deep?

There’s some code archaeologists who dig up an artifact. They don’t know what it does, but it includes some instructions for how to unpack it. And so they follow the instructions. And they think they’re taking precautions to prevent it from doing bad stuff, but they screw up, and the evil AI is turned loose. And then bad stuff happens.

It’s funny how similar this is to today’s vulnerability. In theory, checking out a code repo should be a safe operation. All you’re doing is downloading some artifact from a server. Building the code, running the code, all that can be unsafe. But surely there’s no trouble to simply checking out some code?

Alas, a repo is not just a repo. Checking out a repo might require checking out other sub repos and external resources. And so a dumb read only artifact is actually a smart read/execute artifact. The artifact can’t be checked out without also interpreting some of its contents. And if interpreting happens to execute some unwanted shell commands... Bad stuff happens.

It’s a bug, and it’s fixed, but another lesson that nothing is ever simple when adding features. What looks like just a hostname over here could be interpreted as a shell command over there.

Posted 10 Aug 2017 19:38 by tedu Updated: 10 Aug 2017 19:38
Tagged: security software