myrddin is such a fun language, I encourage everyone to give it a try.
have you written anything major in it? I like the fact that it supports most of the platforms I use, but I haven’t seen much written in it…
I wrote the C compiler mentioned in that post and a few command line utilities like https://github.com/andrewchambers/ddmin . The compiler code was probably the biggest thing I wrote.
oh that’s beautiful, thank you! Are there any pain points you’ve experienced with using it?
Not much pain really, just a small project so you can’t expect too many libraries and be patient with the docs and help fix them if you can.
I didn’t know about this one. Thanks!
They cite the folks in FLINT group that I assumed invented the optimizing part. Turns out they may have invented type-based, then this team did optimizing, and people went from there. Those publications are here with stuff this paper cites on the bottom since it’s older. For those interested in verified compilers, I also cited this kind of work in some discussions since they applied type-driven compiler to that. Example is Type-Based, Certifying Code (slides) that builds on Necula’s Proof-Carrying Code (see Bibliography).
I didn’t either! Like you, I had seen the others, but I hadn’t seen this one, and stumbled upon it this morning. I was looking for Lucacardelli’s Compiling a Functional Language and Amber paper and found this.
I’m still not convinced Luca Cardelli isn’t three geniuses in a trench coat. The amount of research output from that one person is incredible.
Same with Peyton-Jones.
Im with you on that. I didnt want to waste his time tagging him in anything less than Modula-4 or a Rust killer. ;)
what’s the date on this?
looks like it’s from 1996
what’s the date on this?
What, you don’t think the DEC Alpha is a modern, relevant architecture? /s
Funny enough, the folks at crash-safe.org built their first prototype as an Alpha. I was like, “Huh? Couldnt it be something that wasnt buried by Intel and Fujitsu?”
looks like 1996 or so, based on which ACM journal it was going to hit.
I have many times, mainly for purposes of program synthesis.
I think it’s quite useful, esp. if you’re iterating on a problem, and looking for someway to describe that problem naturally, without having to think about implementation details.
Sounds interesting, can you share any more details about this work?
absolutely! I work as “red team” (previously in adversary simulation, currently in more technical correctness types of situations), so very often I’m presented with:
so often the easiest way is to simply write something in a simpler format that generates the steps above so that attack chains can be more easily constructed.
A simple example was that I had Remote Code Execution on a host via two languages (one was the platforms scripting language, the other was native Unix/Windows shell), but only 100 characters at a time (as they were packed in images, with no bindings to Python). So, rather than attempt to write a Python binding or fight with make a generic system using the libraries provided, I:
it’s a weird example of basically partial evaluation, but it works for me, and is usually easier for me to digest than attempting to get all the moving pieces in one go.
After using Yesql and HugSQL in Clojure I liked the approach so much, we ended up building a similar solution in OCaml, where we have a PPX that just generates all the annoying boilerplate required to run SQL queries and exposes a type safe interface to it. It is not an ORM so it is very clear how the code maps to SQL and it is also rather simple to implement, without having to worry about impedance mismatch. Of course it doesn’t handle migrations or the like but these are outside of the scope of the system.
Initial impressions from internal users were enthusiastic.
we ended up building a similar solution in OCaml
we ended up building a similar solution in OCaml
that sounds interesting; has it been released anywhere?
It is a very early release and I expect there will still be a number of changes which is why we haven’t submitted it to OPAM yet, but you can check out ppx_mysql.
In spirit it is similar to PG’OCaml, but PG’OCaml talks to Postgres on compile time and MySQL can’t do that and also I prefer not to require talking to external services when building so all the type information has to be specified manually.
oh interesting, I’ll definitely check this out! The idea sounds intriguing, and I enjoyed working with PG’OCaml previously, for what little I had to do with it. Thank you very much!
this is bait. do not execute a random obfuscated python script.
oh ja, that’s for sure. Don’t execute random anything, but the style is definitely written to mimic the various tools we see in the space at the very least.
I think my fav comment to this was responding to the “my ssh tool is too dangerous to release” thing; definitely going for the “we have an internet badass over here” direction, even if unintentionally.
It’s odd, the author says that the tool is too dangerous to release but then they released it anyway
in the past that was often done for “cred,” to make things look more bad ass than they actually were. Here I have no idea, but it came across as silly to me.
Is it trustworthy? Or is it just another kind of clickbait? (I know nothing about networking and these claims look incredibly significant, so… I would be pleased if someone can confirm this)
so, it’s of the style of various IoT botnet scanners/hackers we’ve seen in the skiddie space, so even if from a strange source, it’s definitely fitting of the style of tools you’ll see, usually prefaced with PRIV8PRIV8PRIV8PRIV8PRIV8 or gr33tz 2 mah krew sirPWN, leetjar, ....
gr33tz 2 mah krew sirPWN, leetjar, ...
Furthermore, as someone who works in the penetration testing & adversarial simulation (aka “red team”) space, nothing of the document is terribly surprising: many places rely on terribly-configured infrastructure, there’s a lot of garbage floating around in networks, and teams very often take a “we don’t have money to fix that” approach to security. For example, I’ve had more clients than I care to count receive report after report detailing high or critical findings ala NIST 800-30, and yet claim to not have money for the same. I mean simple things like “sshv1 running on all internal routers” or “world-readable anonymous FTP server contains sensitive client information.”
I’ve discussed this with colleagues in the space and the general consensus is one of malaise; everyone knows this to be the case, but no one really cares. What impact did Equifax have? None, no one even thinks about these things anymore. Businesses write off these risks via Risk Acceptance, and move one. The government is more concerned about critical infrastructure, but that is a double-edged sword (and I say that as someone who used to work in gov).
tl;dr: even if not credible, the source is relatively spot on with similar “posts from the underground,” and no one really cares, because so much is broken, but businesses often can just accept the risk and move on.
I worked at a small business oriented ISP/web hosting company from around 2003 to 2010. What I remember was getting a “security audit” once that was 500 pages of crap like “OH MY GOD YOU HAVE PING ENABLED! DO YOU KNOW PEOPLE CAN FIND THOSE COMPUTERS?” and “OH FOR XXXX SAKE YOU’RE RUNNING DNS DO YOU KNOW HOW HORRIBLE THAT IS THAT PEOPLE CAN FIND YOUR COMPUTERS?” to even “XXXXXXXXXXXX YOU’RE RUNNING A WEB SERVER! ANONYMOUS PEOPLE CAN ACCESS THIS COMPUTER YOU XXXXXXX XXXXNUT!” Yeah, hard to take seriously page after page of “just cut the network cables if you want to be safe” crap.
So here’s how I would respond to the “OH XXXX YOU HAVE SSHv1 ON INTERNAL ROUTERS!” claim—“Hey boss, we need to upgrade all our Cisco routers.”
“Do you have $NNNNNN to upgrade the infrastructure?”
“You’re the one with the money.”
“Do the best that you can. I’m dealing with customers that are late with their payments.”
We were buying equipment on the second hand market because we couldn’t afford do deal directly with Cisco. So, for the sake of the Internet, we’re supposed to shut down and go quietly into the night? But in the meantime, I just restricted SSH (when we got SSH on the routers—early on we were stuck with TELNET) to only accept connections from known hosts.
Oh ja, I’m not surprised at all by this either. For ever good pentester I know, there are dozens or more of ZOMG LE TOOL SAYS YOU HAS 0DAY. Honestly, the infosec industry is one of shills, and the infosec community is one of hero worshipping cliques. It’s pretty rough at times to be a simple professional.
Wrt your example of SSHv1, the overall risk for me would depend on what other environmental controls are in place. For example, I worked at an ISP that had all management interfaces exposed only to a special administration VLAN for routers. So, the likelihood in that case would be very low; an attacker would either have to transit multiple security boundaries and launch a fairly noisy attack, or it would have to be a malicious internal attacker who would likely already have legitimate access to those same devices. The impact is high regardless because this could impact core business functionality. Very low x High = low, please fix it during your next upgrade cycle.
And that’s my problem with the “hah! they should have just patched everything!” mentality: people don’t have the $ or time to take infrastructure down. I mean, good heavens, Equifax blamed one person… clearly that’s a sign of a dysfunctional org if you’ll ever see one.
make bbs, give it some hype as solving business communication problems, sell to enterprise. become rich.
Worked for slack and irc.
make bbs, give it some hype as solving business communication problems, sell to enterprise. become rich.
This is how Citadel the BBS became Citadel/UX.
Ok, I see where you’re going with this. They did update it into groupware. I don’t think it’s quite what @ac had in mind with Slack/IRC reference, though. The Citadel page…
…shows a UX that’s quite different from the chat-oriented BBS with chat being just one feature among many on the bottom. Whereas, Slack is much like IRC in that it centers on chat, it happens in chat rooms, and the extended features or UX is all about supporting that. That’s the core experience.
If done for BBS’s, the new service would have to create the BBS experience in useful way. It would have to present the services in a nice-looking textual UI or graphic one with similar style. The system should have easy navigation with keyboards. It should support web access. The product or project should have a thriving community. It needs notifications for whatever happens in its space. It should… oh wait, someone already did something like that:
Now, just need to re-target such a proven method to new business needs in a market that would tolerate terminal apps. Maybe the mainframe migration market or something P2P/Owncloud-style involving dirt-cheap computers (eg Pi’s) needing bloatfree apps. Start with Mastodon in a BBS. Ok, kidding aside, I’m still giving @jcs credit for a modern BBS app that was both fun and useful given Lobsters community does useful things. If being real about it, I’d prefer an API so native apps can connect to it as an alternative to web UI. Might already have one…
To be honest, the lobste.rs code would be a good start for a bulletin board within orgs.
Most people just can’t deal with a threaded conversation view. Most popular forums have a flat reply structure.
I do find them easier to follow if few to no tangent discussions. Especially if reply automatically adds parent’s name, timestamp, and/or a link back. Even anon’s can be differentiated that way.
Well I like threaded conversations too, and granted, they’re not that un-prevalent (Reddit is a huge site that uses them). But I bet if you’d ask there’s a large proportion of Reddit’s users who’d prefer a flat structure. I have absolutely no proof though!
FWIW the monstrosities that are “corporate intranets” generally ape the most popular format - one hopes it’s because there’s been market research done on what people prefer.
Actually, Citadel has builtin IRC-like chat: http://www.citadel.org/doku.php/documentation:appproto:im
But yes, it’s groupware, of the very old variety, but it went directly from BBS -> Corporate Groupware with all the functions we’d expect: mail, chat, search, “portals,” and so on. That’s exactly what made me think that the model is viable, since the thing is still around, alive, and kicking :)
edit: just to extend, I think it could very easily be made to support such things, or as @ac says, lobste.rs itself could be an interesting model for the same.
And I agree, a modern BBS would be useful, replete with things like Fido and the like, esp. if they can be anonymous & private. Usenet, DEC NOTES, &c. could all be useful models in the right environment; I’ve thought about & experimented with the same atop Gopher, SMAP, &c. It’s a fun model for experimentation.
edit 2 to expand even further, I’d love something that could do:
News, chat, mail, and simple other services would be pretty nice with decent encryption (Noise + decent PGP-alike with ephemeral signed keys like we did at Wickr), signing, &c. , but I’m getting ahead of myself.
My point was that they survived by dumping the BBS model. Whereas, Slack is recognizable as IRC-like to anyone who even dabbled in IRC. Citadel would be further proof that businesses or projects can pivot into something the market is demanding to survive. That’s not controversial. It is controversial if someone tells me they have a modern offering that will succeed in the Web era that’s designed like a BBS. Honestly, I’d probably not even look at it at this point the survival rate is so low. I was really stretching my mind for existing,surviving apps with terminals in my prior comment.
I like your idea for a text-only solution for collaboration with privacy features. There could even be uptake among people in UNIX userbase or on older hardware. It would be a tiny market that I wouldn’t bet on. What I considered for this is to pick the kind of text-based tools people are already using to enhance them with security. Possibly make a distro that’s private/secure by default that only supplies those.
Woah this is really big no? Does this also unlock significant performance improvements while maintaining type safety?
Yes I should think so; Rust has show that there are practical benefits to affine types, which are closely related to linear types. Whilst not new (Clean has had linear types since when? as has Mercury and others), it’s interesting to see it applied to Haskell. I’m definitely going to be watching this closely, and seeing where it goes, but exciting things are happening in F# and Haskell spaces (to say nothing of less popular languages as well)!
Do you think this development might also extend to F#? very excited about -o
I don’t know about F# right away, but F* is already in this space, so it’s only a matter of time.
Ever since I looked into it, I’ve been claiming that Amiga architecture lived on even if Amigas died. That’s due to modern hardware using a combination of compute, command, and accelerator chips working in unison. Especially on mobile or multimedia SoC’s. That was just an educated guess since I didn’t have an Amiga. This article corroborates it esp with GPU example.
The water effect on that game looked really good. Better than any I had on my oldest consoles. The resolution trick was neat, too. I can confirm the PS2 had the control the author describes. It was something the developers loved and hated since it added to the work needed for a game. Fans figured any trouble was worthwhile after seeing Metal Gear Solid 2, though. :)
EDIT: Anyone looking to play with a modern Amiga should check out MorphOS. It’s beautiful and runs on Apple PPC hardware.
There is also AROS and AROS on Wikipedia, which I’ve played with a few times. It’s pretty nice, runs atop Linux, FreeBSD, or natively on several platforms. iirc, MorphOS & AROS share code back & forth, and bits of AROS were used for the later versions of AmigaOS (namely 3.9 & 4).
For anyone interested, I did a write-up below of my methods and categories of obfuscation with plenty of references to follow as usual.
I think you touch on it in the other thread, but in my mind, obscurity is always a likelihood modifier. When I rank risk, I talk about
obscurity is a pretty valid likelihood modifier; it’s not a security control in and of itself, but it decreases the likelihood of discovery & successful exploitation.
All true. I just don’t know whether I want to use a different term since overall security is always probabilistic. There are specific mechanisms that have high-assurance of doing specific kinds of things. Past that, we’re constantly modifying likelihoods in this area or that whether traditional mitigations or obfuscations.
I use NIST 800-30-style risk ranking, so it’s a combination of Likelihood x Impact; for example
The likelihood is low for the following reasons:
The impact is high for the following reasons:
Then push it into the matrix and you get a “Medium” overall, or whatever.
If doing it that way, one other thing I’d do is note how often attacks happen on specific components or types of mitigations. Reason being I’m making predictions as I make claims like that. Then, adding the numbers lets them check my math so to speak on likelihood. A good evaluator will prefer having something real to work with. I’m outside the industry right now, though, so can’t say what current preferences are.
Depends on the client really; for government, many have requested NIST 800-30 with specific modifiers, or their own risk ranking. In finance, it’s a mixed bag: some prefer write ups, some prefer numbers. I go with what clients want, but many are happy with NIST 800-30, and it’s a standard to point to (and old, initiated in 2002); I’ve not seen too many complaints in my 10ish years in sec, when talking about risk justification. Obviously backed up with technical details. Works nicely.
Appreciate you sharing your experiences on that.
Brilliant! I’ll package this for Gentoo as soon as he renames it.
Now we shall see if Python3 can compete with a Python2 that’s no longer sabotaged by the core devs.
Could you explain what you mean when you say that Python 2 has been sabotaged by the core developers?
[Comment from banned user removed]
but was more than happy to block a door when people were fleeing in droves from a “women in tech” talk at a Europython conference (fortunately, there was another door available)
uhhhhhh… what? cough
Do you mean: This doesn’t count as discourse on Lobsters? That’s how I’m reading your reply.
I think he means it more as “That sounds ridiculous, can you provide a link or explain better?”
oh no, sorry, that’s the incorrect read; I was expressing surprise because that sounds… well, bad. I would call out anything I felt doesn’t count as discourse on Lobsters, but this isn’t it. I was just honestly surprised at what stefantalpalaru had mentioned wrt the door blocking, that’s all.
Yeah, seriously. If I remember correctly, it was before this talk, on July 4th 2012: https://www.youtube.com/watch?v=l2PnVKQJg0I
Main conference room, right-hand side door when facing the stage. There was no need for physical violence. He just crossed arms, stood in front of the door in his silly “Python is for girls” T-shirt and stared at people (who, of course, smiled and turned towards the other door).
It seems he went further at PyCon 2014 when he decided to only take questions from women. Sexism will continue until the morale improves ;-)
Your way to think about lack of women in tech problems is close to totally ridiculous
How you can imagine that blocking a door could be anything more than symbolic when there is two doors ?
The morale will never improve without conscious effort to improve it and being satisfied with status quo will not change anything.
As much as I understand women in tech feel all but welcome and it’s hard to understand that letting live an hostile climate which de facto exclude half of the human pool will not lower the global success of the community for example by doing better technical results.
you must confuse between having an hostile climate towards men and not allowing men harass women as they usually do in everyday life. Are you really unable to understand that expressing sexuality (by a man toward a woman) in very crude terms (orgasm) are harassment toward woman and all but normal way to behave.
good point for my grammar being bad. As French, I understand it is not perfect, but can you (or someone else) point me what was incorrect and propose ?
the core developers defer to a moron who’s unable to grasp some basic concepts from functional programming, but was more than happy to block a door when people were fleeing in droves from a “women in tech” talk at a Europython conference (fortunately, there was another door available)
I want to reiterate that this point is disrespectful and poorly reasoned. This is not how I expect my fellow Lobsters to behave. If you want to act this way, please go somewhere else.
The rest of your points are valid criticism, though I prefer precise arguments instead of rants.
… the backwards incompatibility failures of … Ruby 1.9
I acknowledge that this feels like a beside-the-point nit-pick, but:
Python 3.0 was released before Ruby 1.9.1, the actual “stable” release of Ruby 1.9 (although that versioning choice was definitely a questionable one). Also, I recall being surprised how quick the adoption for Ruby 1.9.1 came amongst users, so much so I would consider it an example of a successful embrace of a new, incompatible version by its community.
That’s not to say it didn’t feel like an eternity when a gem you used was still 1.8 only, or something new was released and your 1.8 project couldn’t use it, but I remember reflecting some time in 2012-ish that Python 3’s woes made the 2009-to-2011 stretch that was Ruby 1.9’s adoption feel like nothing by comparison.
In Scala, this had led to the creation of the DOT calculus, in a project known as Dotty. A little over a year ago, DOT was proven to be sound.
woah, thanks for those, that’s super interesting.
Does anyone else find this report extremely verbose for what it is? Technically, I think there are some excellent findings, but… so much writing for a non-narrative report.
I didn’t really think it was too verbose, but perhaps that’s because I’m so used to reading verbose documents (the joys of enterprise software implementations…). Even if you’re not that interested in security audits, the report makes for a good read, IMHO.
I actually work in information security for large banks, government, & similar organizations; writing these sorts of reports is what puts bread on my family’s table. Even for a large international bank, I couldn’t imagine delivering a report that was this verbose in the discussion of vulnerabilities… I think my report out would mostly consist of “could you give me the gist of what’s going on?” and “so what you’re really saying is…”
In terms of technical details, this is 100% great, but the writing struck me as… long winded.
Maybe that’s the idea however; it’s really long, and most people just get the “tl;dr”. I mean, I’ve seen reports from competitors (Cigital, Gotham Digital, FishNet, &c.) and they don’t seem to be this long either…
edit: fixed a missing ‘)’
edit 2: Also, I apologize if I come off as boorish, that wasn’t the intent! I’m just running around cooking & cleaning atm for Thanksgiving.
Perhaps the fact that they knew this report would be available to the public played a role here?
A good and detailed report of solid work like this is rather great advertisement.
I definitely agree, and the technical detail is some of the best I’ve seen, but it feels like there’s just too much… “fluff”… writing in there. I tend towards the minimalist side internally to my company too, so it may just be that (and indeed, no one has agreed with me here! :D)
I don’t fully understand how the new MBP is significantly worse than the existing one for “content creators”, whatever they are. Perhaps because I see “content creation” as a set of unrelated tasks that get lumped together, because they’re all things that 90% of the buyers of computers don’t do. The sense that Apple doesn’t really care about “content creation” seems more an inchoate sense that Apple has determined that people who post on message boards don’t actually punch over their weight.
Apple is under no obligation to make a computer for every person, or that is optimized for every person’s needs. I would be much happier if they did, because I would happily drop a LARGE_NUM pile of dollars on them for a new dual CPU desktop, but mistaking my personal desires for objective truths is a mistake that I try hard not to make.
Personally, I think the crux of the problem is that Apple says “You need a computer anymore” when talking about their ipad pro tablets. This is true for many people. You can order crap from Amazon, watch Netflix, browse facebook, etc on this device. This isn’t true for everyone though. For me, I do embedded software development. I need a computer. Apple has already said that most people don’t need a computer. So they should focus on building a computer for the people that really need one.
I don’t fully understand how the new MBP is significantly worse than the existing one for “content creators”
I agree with you. I think the (poorly explained) reasoning behind this party line is that Apple used to be the only very strong out of the box for creatives: powerful, just works, high end GPUs, nice screen, high speed connectivity, and compatibility with specialty hardware peripherals.
Now that every other manufacturer offers these things, Apple is no longer alone at the top, creating this illusion that they’re somehow worse than their old self. At least, that’s my view of the whole thing. For reference, I’ve been around TV studios, radio stations, recording studios, and wealthy hobbyist musicians for over a decade and seen their setups over time.
Apple is under no obligation to make a computer for every person, or that is optimized for every person’s needs.
True. A big source of confusion is the lack of a defined target market, right? Creatives are saying they’re not it because Apple offers nothing unique while MSFT blew everyone away, devs are saying they’re not it because the laptops are underpowered and lack desired connectivity (the future be damned, I have work to do now I can’t wait for everyone to chase Apple’s visions of the one true cable), and everyone else is feeling like it’s not for them because they might as well save a ton of money by getting a regular MacBook or something else entirely.
In short, the MBP offers nothing new or exceptional (just some inconveniences that might be great in the future – a pricey gamble), and at the price they’re asking, they better be doing something to wow at least one target market.
Honestly, I know macOS gets a lot of crap, but it still provides the strongest and most pleasant end-user experience of any operating system I’ve used.
I’m a unix kid; I’ve been using Unix since I was 10 years old. Find me another Unix that:
it’s easy for people to crap on macOS and the like, but at the end of the day, it’s pretty hard to beat for me. I think Windows devices have made some interesting strides, and I still use other Unices for my servers, but for my main day-to-day laptop? I’ve never had something that could beat macOS.
Find me another os that does ONE thing nice:
Lets me plug monitors in and unplug them and works.
Windows does OK, but not great, besides I’ll be honest even with the linux subsystem windows just isn’t my thing. (also it still lacks a TON of ioctls for me to use, and yes i’ve tried)
ha! this reminds me several years ago I had a laptop running windows & cygwin for work. I’d code most of my stuff in Cygwin, and then deploy to Linux. Well, one day at work I finally decided to try one of those fancy monitors (I was a consultant), it was great!
And then I went to leave, so I unplugged the monitor went home and… couldn’t find my Cygwin terminals. I could see they were still running, but I couldn’t load them. Turns out, Windows was still displaying them on the other “monitor”… the one I had left at the office.
Linux is nice if you have hardware that works with it and it’s relatively fixed. Default fonts are still pretty shite, but not terrible. Windows is ok for consumption, but it takes a lot of tinkering for me to be able to develop on it (I’m sorry, I’m just too used to switching between vim and a shell with awk and a bunch of other tools).
So ja, I definitely know what you mean. As much as I’d like to hate on macOS (esp. for memory…) I can’t really see to much else of utility out there right now.
Windows 10 on a Surface Book meets those requirements, unless your phone is an iPhone but that’s Apple being antisocial and we shouldn’t reward them for it. (Windows is not very Unix, but nor is MacOS).
I thought iPhone Windows integration was reasonable (I must admit to not having seen it being used since the days of Vista being popular though)? Well, you still have to suffer iTunes, but so do Mac users…
So, I use Windows 10 on a variety of Hardware, including VMs, for work, I don’t know if I would say it works “out of the box” quite like macOS does. I would say that I’m intrigued as to where Windows 11 & 12 will be, as they might beat out macOS for being a decent OS out of the box and provide a reasonable experience.
Wrt being Unixy, the fact that I can just grab my dotfiles repo and mostly get going is a huge plus to me. Once I can do that in Windows, and have a reasonable setup, I’ll be happy. I’ve tried with Cygwin, and I can get most of the way there, but there are still little edge cases here and there that make it less sweet than macOS or Linux/OpenBSD.
Have you tried WSL? I haven’t done a lot with it yet, but as far as just running bash, grep and a bit of python goes the experience was really nice.
I haven’t tried it just yet; I’ve used Services for Unix when that was a thing tho, and that was pretty nice…
This is much nicer, because you have a working apt-get.
Interesting! A long time ago, I actually started working on some utilities based around a modified version of apt-cyg, and that included a hyper-minimal wget for the initial boot. Seems like Windows has come along nicely!
I have a WIndows 10 VM for work, I should try this…
Could I propose a moratorium on all new security-related software written in C?
What language would you suggest? This library targets embedded platforms. Correct me if I’m wrong, but I haven’t heard much about embedded Rust.
Coming, but we need LLVM targets and LLVM isn’t the best toolchain for a wide array small embedded targets currently.
There is usage of it, for example an operating system written for CortexM targets: https://github.com/helena-project/tock
Check out the rust-embedded GitHub org for a bunch of stuff related to embedded rust. It’s still early days but there’s tons of smart and motivated people working on it.
Rod Chapman at Altran/Praxis found an error in reference implementation of Skein just recoding it from C to SPARK. Ada and SPARK were invented for embedded systems. There’s also DSL’s like Galois' CRYPTOL, Ivory and Tower for embedded work that can generate correct, C code. Finally, COGENT is a functional, systems language that’s already been proven in a filesystem implementation with certified translation to imperative code. Dependently-typed languages like IDRIS and ATS are possible with ATS demo’d in device drivers and an 8-bit microcontroller.
Sensible subsets of C++ :)
The most sensible subset of which is actually C.
Nah, it’s Ironclad C++ or SaferCPlusPlus if you’re talking a subset that’s actually immune to all kinds of memory-related attacks with little work + has C++’s benefits.
There is embedded OCaml, ready to use (if you have a supported embedded platform, but this approach can certainly be extended to other platforms).
You could, but you would be silly to do so. There are tools that mitigate nearly all of the stupid of C…people just need the patience and discipline to use them.
That’s precisely the attitude that continues the status quo: “users are to blame, they need to be more disciplined”.
Those two comments are basically equivalent.
If somebody isn’t disciplined enough to follow best practices in C, they won’t be disciplined enough to follow best practices in any other language, either.
Compilers of more modern languages can be very disciplined and unforgiving of sloppy code.
And so can C compilers, with the added benefit that there are tons of static analysis tools like Lint and Coverity, etc., and it’s portable to far more platforms than anything else, and can easily be called by every other language.
If you want to nitpick other people’s language choice, at least make concrete complaints by pointing out the bugs in their code. “C can be unsafe, so this is bad,” doesn’t help anything and is just nitpicking for the sake of nitpicking.
And so can C compilers
Actually existing C compilers play an ad-hoc game of whack-a-mole with the most commonly exploited issues, that’s all. A C compiler that offers actual safety guarantees is vapourware. (There is principled tooling for languages that are supersets of subsets of C and are represented as C files subject to particular restrictions plus additional information, but these languages lack most of the advantages of C, e.g. they don’t tend to have a wide library or developer ecosystem).
with the added benefit that there are tons of static analysis tools like Lint and Coverity, etc.
They’re not a benefit, they’re a red flag that the language proper is inadequate. And again, all they offer is ad-hoc checks for the common cases. You can’t retrofit principled language design.
“C can be unsafe, so this is bad,” doesn’t help anything and is just nitpicking for the sake of nitpicking.
It’s not a nitpick. The language really is unsuitable for the project, and the project will fail as a result. I wish this weren’t so, but pretending it isn’t isn’t constructive.
Difference being one mistake in a common construct can lead to full, code injection in C where that’s rarely the case in the safe languages. The mistakes will happen. They’re usually more severe with C when they do. It’s intrinsic to how it was designed (or more accurately wasn’t) to handle safety of primitive functions & structures.
That’s just scare mongering, though. Mistakes can happen in any language.
The safety issues of C are well known to anybody who’s paying any attention at all. If a person chooses it for a new project anyway it’s safe to assume they know the downsides but have other reasons for using it. If you want people to use other languages, focus on those other reasons rather than harping on how they may hypothetically make a security mistake one day.
It really isnt scare mongering if even experts make these mistakes as regularly as they do. It means the average case will be much worse than it has to be. Putting an upper bound of damage from mistakes can prevent that. So it’s a good idea.
I’m not patient or disciplined enough to follow best practices if not following them would silently succeed (and on the available evidence neither is anyone else, even C experts). So I use languages that enforce best practices.
This position is undermined by that fact that I know of no security-sensitive C project in widespread use that is actually free of memory safety bugs. OpenSSL’s failures are well-known, but consider OpenSSH: it’s widely held as a high-quality security system, and yet had the roaming vulnerability earlier this year and several others before. If these were written in a safe language, there would still be bugs and crashes, but you would never run into the scenario where an attacker could leak arbitrary data out of a process, and you would never have to deal with with remote code execution vulnerabilities (barring things like web browsers where running attacker code is considered a feature).
A common argument against not-C in libraries is interop, since one of C’s legitimate advantages is it serves as a simple way to describe interfaces. This argument doesn’t hold much water though: consider this library binding, which lets you slot in an OCaml TLS implementation for any program that links against libtls. The only difference you’ll notice is the lack of panicked key-switching when Heartbleed 2 rolls around :).
thoughts on C-dialects like Low* and C-light?
Slightly off-topic, but I wished people would try other languages than C/C++ for implementing TLS. Ada, Rust, OCaml, Haskell, Go, etc. It would be really cool if one of those could break the barrier of “it needs to be in C”. Trading some of the their benefits for type/memory safety, etc. seems rather reasonable.
I know there are some libraries in stdlib in those and I know that Go probably isn’t the thing you want to call from other languages, but Rust for example appears to be a sane option for something that is a new implementation of something like TLS.
Is there something other than knowing the language that really would make you not want to have your TLS library written in Rust? Portability (mostly), size and performance seem to be less of an obstacle here.
And just to not sound like “C isn’t a cool language”. I mean it the way both Google and Mozilla build stuff parsers (Mozilla for video metadata) and renderers (Google for fonts) in Rust to avoid certain types of bugs.
To say something on the actual topic as well: I think it’s really great that the big libraries see some competition. Usually not having monocultures is a good thing and from experience it seems that different implementations make certain problems (design flaws and bugs) more obvious, even when other libraries implementing the same thing have them too.
miTLS is a great example of this, and it’s written in F*, which is a dependently typed version of F#. It’s interesting to see what MS & Inria are doing with this sort of thing.
Also, totally agreed wrt competition. It’s nice to see this corner of infosec getting some love (and I don’t even work in that domain generally).
Check this out:
I’d like to see SPARK and Rust, too. Haskell could probably be derived from miTLS given it compiles to F# or Ocaml. One drawback to high-level languages is one needs covert channel analysis for high-assurance security. That might be hard to do with them. Hence, me preferring things closer to how the assembly works like SPARK.
Yeah, can’t wait to run Haskell and Go on that microcontroller.
Sorry, but I actually did write that Go maybe isn’t a fit in most cases, while Rust might.
Also on a microcontroller you typically use smaller/different SSL libraries already. wolfSSL for example.
The cheapest ICs around these days are full ARM processors that can comfortably run Haskell or Go.
No, they aren’t. While 32-bit microcontrollers are common, most microcontrollers used in new project today have somewhere between 8 and 32kB of memory. Even 2kB are common.
OCaPIC runs on PIC18, so not exactly large.
Great, but OCaml is not Go nor Haskell.
And not everyone runs their software on a microcontoller. I used multiple examples and even wrote a paragraph about Go and Rust for exactly that reason.
Still you have OpenSSL, which also isn’t the typical microcontroller library and various other C implementations (forks such as LibreSSL and PolarSSL and GnuTLS). One would think that it would be a perfect ground for a language that has or claims to have certain guarantees. Yet the only bigger contenders are written in C.
This guy obviously isn’t thinking about Vim users when he says that the Escape key isn’t gone, it’s just not a physical key any more..
Vim users hit the Escape key easily every 10-20 keystrokes. How accurate will they be trying to strike a touch pad thingie?
“Just use caps lock” = “you’re doing it wrong.”
I configure my editor and CLI such that it has a few nice shortcuts, but it is pretty close to stock. The advantage of this is that I can sit down elsewhere (read: ssh into a box) and get things done without having to set everything up again. Remapping core keys (and, by extension, muscle memory), breaks this completely.
vi was apparently developed on a keyboard like this. I have also been told that control+[ should be used directly, instead of using escape.
Sadly, my muscle memory for escape is pretty baked in. I might give the capslock key a try though. I’m not so old that I can’t learn any new tricks. ;)
I have also been told that control+[ should be used directly, instead of using escape.
I didn’t know about this, but I just tried it after using vi/vim for a little over 20 years, and it’s a revelation. Not just because of my now-renewed confidence in my continuing ability to give Apple yet more money, but because I think I might start trying to force myself to use it anyway, even in the shell. Less finger-travel than esc by quite a margin. Thanks!
Lenovo, amongst constantly screwing things up, did experiment very briefly with a double-height escape key that, other than size, is in the normal place. I like it a lot—it’s very easy to hit without confusing your muscle memory for “normal” keyboards.
I wonder if removing the caps-lock key entirely (maybe putting escape there!!) would be passable. I can’t remember the last time I used caps-lock intentionally. I imagine the COBOL and Fortran people would throw a fit though.
I remap caps lock to control so I can use Vim without breaking my left pinky finger. There’s actually a handy check box in the Mac OS preferences, so I can’t be the only one who does this.
I believe that macOS option only appeared in Sierra. Escape is not present as one of the dropdown options for caps-lock in yosemite – not really an issue on any current model laptop though…Apple must have planned this in relation to the touchbar thingy.
He said he remaps Caps Lock to Ctrl, not to Esc. That option has been available in System Preferences since the dawn of time.
lol. Thanks for that. Reading comprehension fail on my part.
it’s been there at least since el cap and I am almost 95% sure that it was there since mavericks and snow leopard.
Maybe it depends on the model? I have the option to change they caps-lock key, but escape is not one of the options – example.
MacBookPro5,3 running macOS 10.11.6
try putting this in your .vimrc:
inoremap jj <Esc>
inoremap jk <Esc>
inoremap kj <Esc>
I prefer only jj but you can just mash the jk keys together and it escapes from insert mode.
The advantage of this is that I can sit down elsewhere (read: ssh into a box)
So, when you type ssh hostname, this resets your keyboard configuration in System Preferences?
I don’t think that’s a very charitable interpretation of my comment. :)
It’s more of being able to sit down at any box and be productive rather than mess with preferences before getting down to work.
No, it definitely wasn’t charitable. ;)
More seriously, you should consider caps->escape for your short list of configs, now that macOS 10.12 supports it natively and it’s quite easy to set. It’s truly a night and day difference, and not just for vim. For example, I didn’t start using escape to safely exit form fields until I bound it to the more accessible caps lock.
I’ve got a couple of months before I jump to Sierra, unfortunately (due to GPGTools).
Can I use the caps lock key like normal with something like Fn-Caps Lock? I use it for writing SQL and a few other random things where it’s needed. I think I want Karabiner, IIRC.
unfortunately (due to GPGTools).
What’s up with GPGTools? I use it just fine on Sierra right now…
The Mail.app plugin is broken
Oh I see. I don’t use GPGMail or whatever they call it, mostly because I don’t use Mail.app at all. We generally use Box or some other mechanism for coordination, Mail is all for UNCLAS types of information.
Karabiner is the one. It will be harder to configure though. I personally never use caps lock, and write all SQL in lower case.
Karabiner doesn’t yet work on Sierra, although I believe with Karabiner Elements now working, it’s being updated.
I never use Caps Lock, even when typing long swathes of upper case text (like SQL). I’ve remapped it to Ctrl everywhere, so even if I wanted to, I couldn’t use it for its intended purpose :)
I’d recommend capslock -> control, and then using ctrl-[ (a default binding). I stand by escape is definitely doing it wrong.
Escape is one of keys I press most (if not the most) when using vim, why would I want that to require pressing two keys? It’s also useful in other applications, such as irssi. I think I’m happy doing it wrong because it seems to be less effort.
I’m an Emacs user, but this is much of why I don’t fault vim users for being upset about this.
Most Emacs users take customization and not having ssh-ability for granted, we use TRAMP and the like instead.
This is also why the Emacs emulation in most text editors is useless to me. I don’t use “Emacs”, I use (Emacs <> ChrisConfig). I leave defaults alone where I can (my Emacs is considerably simpler than SpaceEmacs), but there’s a lot of tweaks I’ve developed muscle memory around in my dotfiles.
(Emacs <> ChrisConfig)
The noise from vim users seems to be overrepresented. Now, I happen to use vim and would have some reservations about buying a laptop without an escape key, but we’re talking about less than 10% of the market. (Apples portion of laptop market.) How many Apple users prefer sublime or atom or whatever now? How many Apple users are even developers?
By now I’d wager that literally every single Mac vim user has weighed in, but none of the twenty Mac users sitting around me have made a peep.
To me it’s not about losing the escape key, I would happily give it up to get something awesome in return. But is the little OLED strip thingy really that great? What can it do that couldn’t be done before? How many people are going to get significant value out of it? The demo showed that it can be used as a scrubber (or whatever those video / audio gizmos are called), how many people need that? Why can’t the huge touchpad do the same thing with the interface shown on the screen? I haven’t heard anyone make a convincing case for HAVING the new feature. It just seems like a gimmick that I would have expected out of HP or some other mediocre manufacturer trying to differentiate their bland products.
The scrubber sounds pretty nice actually.
I’m not totally sure what it will be used for either, but I trust Apple to drive the technology as a new and useful way to interact with laptops. If not, I pretty much only used that bar of keys for volume and play/pause anyway, I don’t think that functionality will be degraded.
As an example: I was convinced the Apple Watch was worthless, especially since I had a Google Watch with my Nexus 5 and thought that was worthless. But a friend of mine whose judgement I value recommended the watch to me, and based on her points I decided to try it out. I now wear it every day.
If you boil down the Apple and Google watches to a feature list, they’re mostly identical. But on Google’s I would check the time and the screen wouldn’t always activate, so I kept the habit of checking time on my phone. Apple’s works perfectly. I would read a new message, but scrolling to read longer messages was tedious, so I never built that habit either. Again, Apple’s watch has no issues. In general, Google’s constantly annoyed me, and Apple’s constantly surprised and impressed me. It’s the little things.
You’re surely correct, if HP or some other mediocre manufacturer built this feature, it would be a gimmick. But Apple has a way of taking a gimmick and actually building something useful out of it. I’m not claiming this revolutionizes the modern computing era, but I expect it will be a nice incremental improvement on my laptop experience when I next need to upgrade. Of course not everyone will find it useful, but not everyone finds every feature useful anyway.
Not that I disagree, but isn’t a hurricane of complaints a little much for a silly gimmick? I mean, it’s already a well known fact that everything Apple makes is technically inferior overpriced crap that only sells because their marketing department tricks stupid hipsters into buying it. Right? The fact that a useless toy got a little more useless would usually be beneath my notice. :)
While I would love to ignore all the idiotic things Apple does, other hardware manufacturers love to blindly adopt anything they do, good or bad, so my hope in complaining about “useless toys” that I’ll never use is that the infection can be contained there and not spread to things that aren’t “useless toys”.
Of course, since literally the entire laptop market is blanket unacceptable to me now, I guess I’ve looped back around to not caring. The patient is dead, no need for a doctor.
the entire laptop market is blanket unacceptable to me now
I feel you. I think I’ll invest in a new battery for my current laptop and wait until it dies.
Outside of directly manipulating objects with the touch bar, for anyone who works day-to-day on these machines I’m not sure how the touch bar helps; you’re hopefully using keyboard shortcuts for most of what you do during the day.
I still want to try it out, but I haven’t seen much that made me say, “yes, that! I’ve been doing that poorly all along, and the touch bar helps me do that faster!”
I don’t use that many keyboard shortcuts. If it’s more than one modifier key I probably won’t remember it.
Although I have big hands and I can manipulate the mouse quickly and accurately with my thumb without moving my fingers from typing position. I don’t think many other people do that?
… because they’re all running Linux? :)
I use Karabiner to map caps lock to both escape and control at the same time. (Tap for escape, hold for control.) Try it–it’ll change your life. OK, no, but it’ll reduce finger stretch in vim a lot!
Hey, seems like a nice idea, but how is it different from OpenID?
In addition to what Dan said, email addresses are much better UX for users. OpenID had huge issues with users not understanding how a URL could be their identifier, which we hope to avoid with Portier.
UX for users.
Developers too… I’ve worked with many a developer who had issues with the OpenID, OAUTH, &c. workflows, so these is pretty intriguing.
UX for users.
That would be a great name… I’ve thought about it when I’ve been working on APIs or languages or tools for languages: what is the user experience for a developer who is using this thing? What can I do to make this thing more pleasant to use? Languages like Elm have great “UX”, whereas tools like Burp & ZAP have terrible UX for analysts. DX is a neat condensation of that…
I agree. I think developers tend to be more accepting of tradeoffs in usability in exchange for capability, which makes designing for them somewhat different from designing for end users.
In some ways, you can think of Portier acting as an adapter in front of other OAuth / OpenID providers, so you integrate with Portier once, and get consistent support for other providers for free. More in the design document.
The other big difference is that Portier asks users for an email address, and provides a fallback which ensures that Portier works for all email addresses. This is a huge improvement over classic OpenID, which used opaque URLs for identities, and OpenID Connect, which effectively requires every website to pre-register with, whitelist, and display custom buttons for specific OAuth providers.
Portier is just email in, auth out, using whatever protocol is most appropriate for that email domain. Way more humane for users.
Otherwise, most of the virtues of OpenID should carry through. There’s deeper discussion of how Portier compares to Persona in OtherProjects.md.
I think this is interesting… until people start attacking DNS or the like. I don’t even mean in terms of Mirai or the like… I mean things like what happened to Kenneth Reitz. Those sorts of attacks aren’t even theoretical, or even necessarily intentional; I had a large financial services client do an entire rebranding effort, walk through the entire setup of creating new brand data, &c. … only to completely forget to register the domain name. They were already handing out email addresses to someone else’s domain.
tl;dr: I think it’s a neat idea, and I’d love to see where you go with it, but as a security person, these sorts of things scare the tar out of me.
I hear this a lot, but what people don’t realize is that this is no less secure than what we’re doing now. If someone hijacks your email provider’s DNS, you’ve already lost, no matter how secure your password.
I guess the problem is that centralized authentication this direct doesn’t sit well with people, whereas the existence of the “reset your password by email” link is easier to ignore, even though it’s exactly the same as something like Portier.
oh I agree it’s not any less secure; we argue about password reset links all the time at work, for example. It has all the same security risks as password reset links, or what slack is doing with “magic links” to login.
It’s just that I sit on the side of the fence that password reset links are terrible too, depending on your risk level. I think for most things this is an intriguing fix to a problem and I’d like to see it work. I think the difference is that I work in government and high-finance and email is considered at best a necessary evil.
Again, super interesting idea, and I’m curious to see where you go, but I probably won’t see it in my domain for a while yet (if ever).
I am not a Slack engineer, but unlike generic password reset links, the Slack “magic links” does not need to have the same vulnerability as Password Reset Links (whether or not it’s vulnerable in practice is a separate issue, as I’ve mentioned I don’t work for Slack…).
Here’s the secure scenario:
If our primary attack vector is email interception (between steps 1 and 2), then we can guarantee that the magic link alone will not authenticate them on any device other than the originating device because the imposter lacks the original token to close the loop and sign the final request (step 3).