Threads for ciprian

  1. 8

    I generally strongly dislike the “falsehoods programmers believe…” genre of post because so few of them contain useful actionable advice (i.e., they’re all “these things are wrong”, with little or no “here’s something right or at least better that you could do instead”) and many of them don’t even bother to provide counterexamples to the “falsehoods” they’re calling out.

    This one is a step up from the usual in that the author has provided examples and taken the time to add suggestions for how to handle phone numbers in a better way.

    (though a common theme of all “falsehoods” articles is that complex things are actually complex, and that one-size-fits-all solutions neither fit all nor solve the problem, and very often the real correct answer is to determine which cases are appropriate for your software to handle, rather than trying to write something truly universal, because the only universal solution will be a freeform text field with no parsing or validation)

    1. 5

      The solution in this case is to use libphonenumber or one of it’s many ports.

      1. 4

        Yes, I think it is easy to miss this is a file in libphonenumber’s root.

        1. 1

          Indeed, though I agree edge cases are not falsehoods.

          If you happen to use FreeSWITCH, a while back, I’ve created this module https://github.com/rtckit/mod_phonenumber

      1. 1

        Nice write up; also looking forward to see the impact of fibers in async programming.

        1. 7

          Excellent article

          To get the collision to affect anything on GitHub, I needed to push it to the actions/docker repo. This posed a problem, because I didn’t have write access to the actions/docker repo. However, I realized I could get around that issue by forking the actions/docker repo and pushing a commit to my fork (since GitHub shares commits between forks and parent repositories).

          I wonder if other third party systems (the likes of composer, npm etc.) could be vulnerable if they’re (ab)using shorthashes rather than the entire hash

          1. 2

            you know how when writing a business application you need to have a subject matter expert who actually knows what they are doing? Operations is exactly the same way.

            Amen

            1. 19

              Multiple of these are just the standard “I don’t understand floating point” nonsense questions :-/

              1. 5

                That doesn’t explain why a script language uses floating point as its default representation, let alone why that is its only numeric type.

                1. 4

                  JavaScript has decimal numbers now fwiw, though I agree. Honestly I’ve been convinced that IEEE floating point is just a bad choice as a default floating point representation too. I’d prefer arbitrary size rationals.

                  1. 2

                    Arbitrary size rationals have pretty terrible properties. A long chain of operations where the numerator and denominator are relatively prime will blow the representation up in size.

                2. 5

                  Indeed, same goes for the octal notation question (010 - 3 = ?)

                  1. 7

                    tbh the 010 octal format IS pretty awful. I don’t know what they were thinking putting that in C.

                    1. 5

                      well at least JS users have 0o10 - 0o5 now, if they find leading 0 octal notation to be confusing.

                      1. 3

                        Thanks for note, wasn’t aware of the ES2015 notation and MDN is helpful as always.

                      2. 4

                        I mean if you want fun 08 is valid JS, and that’s absurd :) (it falls back to decimal, nothing could go wrong with those semantics)

                        1. 3

                          Amusing, I’ve seen people write PHP with leading 0s before. Newer PHP rejects if there are invalid octal digits - fun! Putting the leading zeroes is common for people used to i.e COBOL/RPG and SQL; business programming where they’ve never seen C.

                      3. 2

                        really? only like ~5 of the 25 appeared to be floating point releated: 0.1 + 0.2, x/0 behavior, 0 === -0 and NaN !== NaN. Correct me if I’m wrong. Most of them seem to be about operators and what type of valueOf/toString behavior one gets when faced with such operators. Only two I got wrong were because I forgot +undefined is NaN and I was a bit surprised that one could use postfix increment on NaN (and apparently undefined?).

                        1. 2

                          Any arithmetic operation can be performed on NaN, but it always yields another NaN.

                          The undefined one is a bit weird but kinda makes sense, it is indeed not a number.

                          I actually think what’s weirder is how javascript will sometimes give you basically an integer. x|0 for example. The behavior makes a lot of sense when you know what it is actually doing with floating point, but it is still just a little strange that it even offers these things.

                          But again I actually think it is OK. I’m a weirdo in that I don’t hate javascript or even php.

                        2. 1

                          i don’t see where is the contradiction there. JS numbers are IEEE 64-bit floating point numbers, so any weirdness/gotcha in IEEE floating point is also a weirdness/gotcha in JS too

                          i know that many (most) languages also use floating point numbers by default, but that doesn’t floating point gotchas any less weird, maybe just more familiar to already-seasoned programmers :)

                        1. 0

                          Quite relatable

                          1. 2

                            Interesting front page with lots of ascii animations, is there a software or it’s manually crafted?

                            1. 3

                              Turns out the software in question is monodraw

                              1. 2

                                The orange site has a comment thread about that, check there. Sorry, can’t link right now.

                              1. 8

                                @rui314 has been doing some pretty interesting projects recently (also mold: https://github.com/rui314/mold). Is this some fun retirement period they is enjoying?

                                1. 23

                                  Yes. After working for Google for 12 years, I decided to leave to pursue my personal interest.

                                  1. 7

                                    Your READMEs are excellent. I’ve never read any so captivating.

                                    1. 2

                                      ruiu, I’d love to be able to pre-order your compiler book or sign up for a mailing list (or follow an RSS feed) to let me know when it’s ready.

                                      1. 3

                                        The chibicc README has instructions on signing up for notifications.

                                      2. 2

                                        Hi @ruiu - quick question. Will your compiler send each phase to a separate process or will the compiler be a single process.

                                        Just curious - no strong opinion on this.

                                        1. 2

                                          It’s a single process just like other compilers are.

                                        2. 2

                                          Remarkable, thanks for sharing your research

                                      1. 1

                                        Maddog was certainly a visionary …

                                        1. 1

                                          Very cool project. I do wonder what the advantage is compared to something like k3s or kubeadm. Both of those can have a cluster up and running in one or two commands.

                                          1. 1

                                            Each distribution is opinionated to an extent and reflects the problem(s) the authors are trying to address; that said, it surely has a lot of things in common with k3s; I also found this interesting read addressing k0s vs k3s.

                                          1. 4

                                            Isn’t this how Facebook’s Hack started out as well, before moving on to a JIT? Interesting how Facebook’s Russian competitor is doing the same years later.

                                            1. 2

                                              According to https://github.com/vk-com/kphp-kdb, they did this in 2009.

                                              1. 1

                                                You never know for sure, but the plan is that it’s always going to be AOT compiled and it’ll not become a completely different language like Hack.

                                                KPHP is a compiled (and quite strict) subset of PHP with some features like tuples that are easily emulated with kphp-polyfills in normal PHP.

                                                Developers use normal PHP during the development phase, so no KPHP VM is needed. When the code is deployed, it’s being compiled. It’s tempting to create your own language, but sometimes you need to limit your desires to stay practical. :)

                                                1. 1

                                                  Yep! Though according to the disclosure it has been used in production for a while. It is interesting to see a different take on this approach; personally I think JIT is the winner here but nonetheless it’s intriguing.

                                                  1. 1

                                                    Am I right in thinking that with PHP8 it will begin compiling hot areas of code to native in order to get the best performance? I remember there being an option with PHP7 to do something like that but it had to be switched on and configured.

                                                1. 2

                                                  So. How would you fix that? Make Application Level Gateways even smarter? That doesn’t sound right. :)

                                                  1. 2

                                                    On the browser side, once you’ve committed to multiple plaintext HTTP packets, unpredictably change their sizes so their content can’t be precisely controlled. It’s a performance hit, but a server can opt out of it by using HTTPS, which prevents the server from controlling the packet content. Web sockets have unpredictable browser-side masking to keep exactly this attack from happening, but it’s too late to do that for baseline HTTP.

                                                    1. 1

                                                      I’m highly doubtful this level of complexity will be acceptable for browsers to mitigate a niche attack. After all, NAT was never meant a security boundary.

                                                      Disclaimer: I work on Firefox but not enough on networking to have any particular insights.

                                                      1. 4

                                                        This attack doesn’t look as if it’s actually specific to NAT. If I understand it correctly, any firewall that parses packets for protocols that advertise an inbound port in an outbound message and automatically opens inbound ports based on the contents would be vulnerable, whether NAT is involved or not. The real question for me is why firewalls are doing that. As I recall, SIP doesn’t need that functionality and FTP (the other protocol mentioned in the attack that does) has used passive mode (where the client initiates all connections) by default for 10-15 years in every client I’ve used.

                                                        As to what the browser can do about this, there are presumably only a handful of packet formats that routers are inspecting for this. A browser could quite easily inspect the outbound queue and forcibly fragment things in such a way that any packet that looks as if it might trigger one of these rules would be forcibly split so that the boundary was in the wrong place.

                                                        I’m not 100% convinced that it’s sufficient to do this only for HTTP: given that the attacker controls the server, they can probably give you a plaintext that encrypts to the desired packet format: During the symmetric flow, they just need to know the shared key and predict the nonce, they can then take the message that they want, decrypt it with the right IV, and send it you the client, which then sends it back, encrypted.

                                                        1. 1

                                                          I actually thought of the „encrypt it as a desired plain text“ hack. Would be fun to pull off.

                                                          Browsers already implement a list of blocked ports. I’m suggesting we add 5060 to Firefox. We’ll see if that’s breaking other flows.

                                                          1. 1

                                                            Does that actually help? I don’t know enough about ALG, but as I understand the SIP thing it is detecting a specific pattern in the outbound packet that looks like a SIP message. FTP is the other protocol mentioned in the article, so you’d need to also block the FTP port for HTTP requests, because a packet that looks like it’s initiating an active-mode FTP transfer would also trigger the attack. There are probably other protocols that include this antipattern.

                                                            1. 1

                                                              Yup, ports for other plain text protocols are already mostly blocked. But this is a mitigation. Not the solution. See attached patch.

                                                              1. 1

                                                                I think the thing that I’m confused by is whether this is enough. Do the routers that do ALG things detect SIP-like packets on outbound port 5060, or do they detect SIP packets? If it’s the former, then this mitigation is useful. If it’s the latter, then the attack will still work if you move the server to port 5061.

                                                                1. 1

                                                                  I’m sure every firewall behaves differently. The full article quotes netfilter source code, which does require the port to be 5060. In particular, Samy is linking to https://github.com/samyk/linux/blob/29b0b5d56589d66bd5793f1e09211ce7d7d3cd36/net/netfilter/nf_conntrack_sip.c#L1676

                                                          2. 1

                                                            I’m not 100% convinced that it’s sufficient to do this only for HTTP: given that the attacker controls the server, they can probably give you a plaintext that encrypts to the desired packet format: During the symmetric flow, they just need to know the shared key and predict the nonce, they can then take the message that they want, decrypt it with the right IV, and send it you the client, which then sends it back, encrypted.

                                                            Is there a strict correspondence between packets and TLS records (which have a record header, c.f. https://tls13.ulfheim.net/ )?

                                                            Otherwise, could the browser cheaply force a re-key for non-websockets when making a new request or when receiving a websocket packet or server side push? That’d prevent the server communicating knowledge of the existing client key to the server-controlled page on the client.

                                                            1. 1

                                                              Good point. Alternatively, the browser could also just use a cryptographically secure random number generator for the nonces (which it might be doing anyway), which would make guessing the plaintext that encrypts to a specific cypertext impossible.

                                                          3. 3

                                                            NAT was never meant a security boundary.

                                                            True, but at some point we need to acknowledge that it is being relied on as one in hundreds of millions of installations around the world.

                                                        2. 2

                                                          Are there really that many routers with ALG enabled? I’m genuinely surprised here. I worked in VoIP a long time ago, and the most common quick fixes were: disable ALG, and if that doesn’t work, create a separate VLAN for hardphones. But this was all business/enterprise router hardware, and I’ve not seen it much on consumer stuff.

                                                          1. 1

                                                            The size of the ALG-enabled router population is indeed questionable however some network appliances would not (at least explicitly) advertise ALG options, as it is the case with ISP supplied routers.

                                                          2. 1

                                                            Yeah, I’ve been trying to armchair that to little or no avail. My sole comfort is that I have a physically separated, policy routed net where one path is everything web and the other is things I care about and a data diode in. That’s not a solution for everyone.

                                                            1. 1

                                                              Don’t trust NAT to offer any protection to client devices… which has been always the advice.

                                                              1. 3

                                                                Fun challenge - find an reasonable advice that has been ignored more than that one.

                                                              2. 1

                                                                I have a separate (network) interface for talking to services on my network (and it’s the one with the default route), and I simply don’t bind those services to the network interface I put on the Internet. This makes me immune to this attack even though I use NAT with no particular firewalling simply by having my workstation not enable IP routing.

                                                                Another trick is to VPN to your gateway. This usually gives you another (virtual) interface and if the Internet is down that way your workstation firewall can now trivially differentiate between “internet” traffic and “lan traffic from the router” (this makes the Windows firewall a lot more useful).

                                                                Another (workstation-specific) trick is to block Internet hosts access to anything but ephemeral ports. This nullifies the most dangerous forms of this attack. If your router doesn’t block source routed traffic for you, consider using the MAC address of your router as the selector since it and everything behind it likely doesn’t have any business talking to your machine on anything but ephemeral ports anyway.