1. 3

    If I can get some dedicated time, I’m planning to start implementing write support in this project: https://github.com/libyal/libpff

    I need to be able to merge Outlook PST files in a programmatic fashion. libpff only supports reading PST files, not writing. This is part of a privacy tech tool I’m writing, horribly named The Migrationator.

    1. 3

      Thank you so much for this, especially the binaries! Due to the acquisition of my employer, my newly-assigned Win10 system forces the screensaver at five minutes at idle. Your simple, but elegant, solution should work just fine for me (I hope) and I appreciate the efforts. :)

      1. 2

        Bit off-topic, but: I understand that you suffer with such miserable OS, but the policies and measures like this one make some sense and you might be made responsible if you circumvent the policy and something happened. If I would be e.g. reading a documentation for a several minutes without moving mouse or pressing a button, I might use such utility, but I would not leave it turned on permanently. If someone misuses your computer, it would be your fault.

        1. 2

          Of course. But when I switch between several systems for different tasks in my locked office, it makes sense to use a tool like this, else I have to remember to flick the mouse myself every four minutes and fifty-nine seconds. It takes several minutes to login to these systems, too. :/

          1. 2

            Several minutes!?

      1. 1

        An interesting observation regarding using commit hash as version, as demonstrated in the command-line:

        hbsd-dev-laptop[shawn]:/home/shawn/tmp $ git init test.git
        Initialized empty Git repository in /usr/home/shawn/tmp/test.git/.git/
        hbsd-dev-laptop[shawn]:/home/shawn/tmp $ cd test.git
        hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ touch file1
        hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git add file1
        hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git commit -m "initial commit"
        [master (root-commit) ff1c2c6] initial commit
         1 file changed, 0 insertions(+), 0 deletions(-)
         create mode 100644 file1
        hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git log|cat
        commit ff1c2c64ed5aacf91c94c86ac058167d3729ddbd
        Author: Shawn Webb <shawn.webb@hardenedbsd.org>
        Date:   Sat Dec 21 01:58:33 2019 -0500
        
            initial commit
        hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git tag -a ff1c2c64ed5aacf91c94c86ac058167d3729ddbd -m "ff1c2c64ed5aacf91c94c86ac058167d3729ddbd"
        hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git describe
        ff1c2c64ed5aacf91c94c86ac058167d3729ddbd
        hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git tag
        ff1c2c64ed5aacf91c94c86ac058167d3729ddbd
        hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ touch file2
        hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git add file2
        hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git commit -m "blargh"
        [master f568378] blargh
         1 file changed, 0 insertions(+), 0 deletions(-)
         create mode 100644 file2
        hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git describe
        ff1c2c64ed5aacf91c94c86ac058167d3729ddbd-1-gf568378
        hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git show ff1c2c64ed5aacf91c94c86ac058167d3729ddbd
        warning: refname 'ff1c2c64ed5aacf91c94c86ac058167d3729ddbd' is ambiguous.
        Git normally never creates a ref that ends with 40 hex characters
        because it will be ignored when you just specify 40-hex. These refs
        may be created by mistake. For example,
        
          git switch -c $br $(git rev-parse ...)
        
        where "$br" is somehow empty and a 40-hex ref is created. Please
        examine these refs and maybe delete them. Turn this message off by
        running "git config advice.objectNameWarning false"
        commit ff1c2c64ed5aacf91c94c86ac058167d3729ddbd (tag: ff1c2c64ed5aacf91c94c86ac058167d3729ddbd)
        Author: Shawn Webb <shawn.webb@hardenedbsd.org>
        Date:   Sat Dec 21 01:58:33 2019 -0500
        
            initial commit
        
        diff --git a/file1 b/file1
        new file mode 100644
        index 0000000..e69de29
        
        1. 2

          I’m now effectively the acting Director of IT for my business unit of around 200 peeps. This week will be comprised of:

          1. Migrating our data out of Google into our own self-hosted services. Already a multi-week effort. Won’t complete it this week, but hoping to finish pulling down email. The tool I’m writing for this is open source
          2. build-a-bsd
          3. Internal tech support.
          4. The usual pissing off of human rights violators.
          1. 7

            Would love to read it, but it requires a Google login.

            1. 6

              Turns out it all was an elaborate trolling scheme…

              1. 2

                Haha. I’m pretty sure you’re joking, but just in case:

                My employer (G2, Inc) was acquired by Huntington Ingalls Industries (HII). G2 uses G Suite while HII uses self-hosted Exchange. I’m tasked with migrating the entirety of G2 away from all Google services to HII’s self-hosted versions. This poorly-named tool is what’s coming out of that work.

            1. 2

              Clever approach. I wonder if this can be (or already has) spread to other OS’s.

              1. 4

                After the ASLR so useful addition, next in the series of the buzzword-compliant checkboxes is the stack addresses randomization.

                sigh

                Considering the goal of randomizing the addresses of strings and main thread initial frame, moving the main stack area in the address space is not feasible.

                Yet again, HardenedBSD proves this to be false. We’re the only BSD to truly randomize the top of the stack. By combining randomized stack top with a random stack gap, HardenedBSD is able to introduce 41 bits of entropy into the stack.

                1. 3

                  I’ll be monitoring the first test run of an open source tool I’m writing at $DAYJOB. We’re de-Google-ifying our entire business.

                  I’m also working on helping OPNsense adopt HardenedBSD 12.1. I need to validate merge conflict resolutions.

                  1. 4

                    <comment type="snarky">I’m starting to wonder if we need a new tag: intel_cpu_microarchitectural_vulnerability_announcement</comment>

                    1. 5

                      I want to take my puppy, Vader, to Patapsco State Park and spend the whole day there, hacking on HardenedBSD in the wilderness while Lord Vader sleeps next to me.

                        1. 1

                          I remember a discussion you and I had here about the concept of data being nothing more than code of a different nature. For some reason, I’m unable to find that discussion. Do you remember which thread that was?

                          1. 2

                            It came up in this one. Wait, that one was data integrity vs CFI. Prolly not it.

                            Edit: Couldn’t find it with a variety of terms. Ability to limit search to specific users’ comments and stories would go so far here and in other situations.

                            1. 2

                              Almost. Thanks for looking! I’m glad that it’s harder to find than I myself had anticipated. I’m not legally insane… yet. ;-P

                              1. 1

                                The search engine is just really bad. Helped me enough that Im still grateful to whoever put the time into it. Just really limited.

                                Also, if you add a name, it looks for mentions with @, not authorship. Just adding that in case it saves you time.

                        1. 1

                          Really good timing for this article. Thank you so much! I plan to start work on setting up centralized auth for all of HardenedBSD’s infrastructure within the next week or two.

                          1. 17

                            I haven’t slept in three days. I’m hoping to sleep. A lot.

                            1. 2

                              Best of luck getting your sleep! You deserve it :)

                              1. 2

                                Turns out, my brain decided to forget we’re getting new windows installed at home first thing Saturday morning.

                                I’m reminded of a phrase by a good friend of mine who passed away around 15-ish years ago: “sleep is for the dead.”

                                1. 1

                                  Jeez. Do you have insomnia or did you have some kind of emergency… that lasted for 72 hours?

                                  1. 3

                                    For a period of two to three weeks every six months, I get huge bouts of insomnia. Worst I’ve had is six days without solid sleep. At around the 90 hour mark, I start micro-sleeping throughout the day/night: periods of 2-5 minutes where I space out.

                                    1. 2

                                      I used to have insomnia issues due to anxiety, although not nearly that bad (1 or 2 days at a time). I finally got it under control when I started going to the gym a few days a week and going to yoga once a week (the less intense ones that emphasize breathing, Hatha or Anusara). Might not work for everyone.

                                1. 5

                                  Things I’d like to accomplish this week:

                                  1. Perform maintenance of the following servers: amd64 package build server; binary update build server.
                                  2. Attempt to determine why our ThunderX2 is not booting HardenedBSD 13-CURRENT/arm64.
                                  3. Surprise my wife with a few strategically-placed love notes.
                                  4. Build out more infrastructure for the BSD security working group the HardenedBSD Foundation is spearheading. Get a gitea server online.
                                  5. My wife and I started taking a free course offered through our congregation on becoming self-reliant through personal and familial financial planning and preparation. We started week two on Sunday and I’m hoping to work through some of the material.
                                  6. Deploy more HardenedBSD VMs at NIST.
                                  7. More that I’m forgetting due to a migraine I’m currently experiencing.

                                  Putting on the “HardenedBSD Cofounder” hat due to mixing official HardenedBSD stuff with personal stuff in the list above.

                                  edit[0]: grammar

                                  1. 7

                                    Surprise my wife with a few strategically-placed love notes.

                                    That’s what I’m talking about! One guy I knew had the love notes hanging off strings where they would bump into her face at key moments of her leaving the bedroom to start her morning routine. Hallway, kitchen, living room… randomly. She’d be like “Wtf!?,” grab the thing, focus to read it, and it make her day. Became a routine part of their lives, but a good routine.

                                  1. 3

                                    So, ASLR on OpenBSD isn’t really ASLR?

                                    1. 1

                                      If you like internet fights: correct, it’s not

                                      1. 3

                                        I didn’t ask to cause a fight. I asked because I want to know. Is there a technical reason or is it just because it doesn’t follow the PaX model? Is that reason enough? Is it because it doesn’t use the same deltas or because it uses none? Is it just a naming issue? The difference between ASR and ASLR have been briefly explained to me before in another comment here. However, that was in reference to FreeBSD’s rather recent implementation. There’s also this: https://hardenedbsd.org/content/easy-feature-comparison which is from the author but that means he’s not being consistent. Is there a reason for that? Maybe just an oversight? New information? I’m very curious about this. I have a very basic understanding of these things and maybe I’m just overlooking something that I should have picked up on. Here’s the other comment: https://lobste.rs/s/curktg/implement_address_space_layout#c_aok28i

                                        1. 3

                                          PaX introduced ASLR, and in that sense it had a specific meaning. It has since then been used to refer generically to various sorts of allocation address randomization. In a claim about ASLR the specific implementation is unclear, absent additional context.

                                          About two decades ago PaX ASR had performance and fragmentation concerns (on i386 Linux) which were addressed by PaX ASLR. However, those concerns are not necessarily applicable to other operating systems on contemporary 64-bit processors in today’s context.

                                          1. 1

                                            Yep. This all makes sense. The explanation about the difference between ASR and ASLR makes sense too. Though I’d never seen the term ASR mentioned before or by anyone else. However, it does seem as though OpenBSD uses some of those deltas or maybe ones that aren’t in line with the PaX model. Looking here: http://inertiawar.com/openbsd/hawkes_openbsd.pdf which is old and specific to OpenBSD 3.9 (i386) but still seems to imply that there’s the randomized stack top + randomized stack gap.

                                          2. 2

                                            I need to update the feature comparison page such that the mouse hover text mentions ASR rather than ASLR for OpenBSD. Thanks for the reminder!

                                            1. 3

                                              I reckon OpenBSD should update their innovations page as it specifically mentions ASLR also.

                                              https://www.openbsd.org/innovations.html

                                      1. 5

                                        After starting the weekend presenting at vBSDcon earlier today, I’ll be working on building the infrastructure for the new collaborative call for participation mentioned in the slides.

                                        1. 2

                                          Full disclosure: I haven’t recursively crawled the site, grepping it for the word “universal”.

                                          After a few minutes (around ten) of looking around the site, I can’t find anywhere on the site where Debian officially quantifies or defines the word “universal”.

                                          If it’s CPU architecture support, I don’t think any Linux distro comes close to NetBSD. Granted, I kinda stopped paying attention to Linux over a decade ago.

                                          1. 1

                                            Anyone else getting an SSL/TLS error? https://imgur.com/a/nVxZqVM

                                            1. 4

                                              I’ll be backporting FreeBSD’s ASR work into HardenedBSD 12-STABLE such that HardenedBSD’s ASLR implementation is preferred over FreeBSD’s ASR.

                                              1. 4

                                                Kill it with fire.

                                                1. 3

                                                  Might help to say why.

                                                  1. 9

                                                    Wait, so you’re gonna make me explain myself? How dare you! ;-P

                                                    Just kidding.

                                                    Now that llvm is becoming more and more mature, I’d love for the entirety of the OS to be self-hosted with llvm across all supported architectures. FreeBSD has a mechanism for an “external compiler toolchain”–meaning, a compiler toolchain installed via ports/pkg (or otherwise).

                                                    FreeBSD will need to continue with the notion of an external toolchain at least until llvm gains support for those architectures where an external toolchain is already required. Regardless of llvm’s architectural support (or lack thereof), having a notion of an external toolchain allows toolchain developers to experiment on the OS from a compiler perspective from outside the actual OS source code tree–especially important for OSes like the BSDs that keep a notion of a basic userland tightly coupled with the kernel.

                                                    This is all background info to say: there is really no need for gcc in base, especially given the existing capability to rely on an external toolchain when needed. Therefore: kill gcc with fire.

                                                    1. 8

                                                      Basically GCC is fine, GCC 4.2.1 that’s been obsolete for a decade isn’t.

                                                      1. 6

                                                        GCC 4.2.1 is the last gcc under GPLv2, all newer versions are GPLv3. That’s why most BSD’s stayed on 4.2.1 until clang/llvm became the compiler of choice.

                                                        1. 2

                                                          I should’ve prefaced my response to say that my beliefs don’t necessarily reflect those of the FreeBSD project’s. From someone on the outside who has been paying attention, it just seems natural to retire gcc 4.2.1 in base in favor of the external toolchain capability.

                                                          1. 1

                                                            No worries, just adding a bit of clarification.

                                                        2. 0

                                                          So, anyone want to speculate how GPL lost the mindshare war here?

                                                          If GCC were good, people would use it. And GPL would have a foothold.

                                                          Clang being BSD = major blow to GPL.

                                                          1. 8

                                                            BSD people like to use software with BSD licenses?

                                                            1. 4

                                                              GCC was good. People did use it. And then Apple poured incredible resources into Clang so they could exert more control over their platform, resulting in Clang becoming a viable alternative to GCC.

                                                              1. 3

                                                                I agree, and GCC was also the compiler who has basically killed an industry of crappy proprietary vendor C compilers by supporting C reasonably well and generating code for all kinds of platforms.

                                                                That said, the competition from Clang was a very good thing for GCC as well. So in the end, everybody is better off: both GCC for improving due to pressure from Clang and the BSDs for finally having a compiler with a license they like.