1. 5

    Slide 42 figure 6’s Representation of a break statement (Greenfoot, 2006) is really intriguing as an example of use of color and graphics to make it much easier to spot potential problems cleanly. Has anyone seen a plugin for Vim which can do something like this, either for C or for any langserver backend? While C macros might make it awkward, there’s some codebases (and a few security-critical bugs) which would benefit from being able to have this sort of view while looking at them.

    1. 3
      1. Deploy DNSSEC signing for your zones. It won’t protect everyone, but it rewards the behavior you want to reward: systems behind verifying resolvers will be protected from these shenanigans. If PKIX issuers aren’t using validating resolvers before issuing DNS-proven certs, then that’s a security failure on their part.
      2. If you’re in a position to do so, ask your network provider where they are on using ROA verification for routes, as part of RPKI security. My colo box is hosted with people who’ve been filtering on this basis for a few years now. This is no longer new functionality and we’re reaching the point where we’re in danger of the lawyers getting involved to argue gross negligence if operators aren’t filtering out provably bad route advertisements.
      1. 1

        Please stop. DNSSEC is not a solution. Let it die already.

        https://ianix.com/pub/dnssec-outages.html

        “Reminder: you could publish the DNSSEC root RSA secret keys on Pastebin and nothing on the Internet that matters would break.”

        edit: oh I forgot about this gem

        “Overlooking some DNSSEC outages because they’re so frequent: By default, Unbound ignores for up to 24 hours any DNSSEC failure resulting from expired RRSIGs.”

        1. 1

          Let what die? DNSSEC? It’s at over 50% of all .NL domains and generally on an upwards trend. The number of mail-systems being protected with DANE (TLSA records in DNSSEC-signed domains) is ever-increasing, since the only alternative for MX delivery is MTA-STS (spec still in draft, has gone through incompatible changes, and bakes in the same failure modes which led us to reject TLSA Usages 0 and 1 for DANE/SMTP).

          Every Internet technology ever has led to outages in the early days of deployment, until people figured out how to make tools more robust … and even then has led to reductions in the frequency of outages, not to eliminating them. The questions are “what’s the failure mode?” and “will things improve?”. We see enough outages on a per-domain basis caused by inept management of DNS itself, without DNSSEC, that I don’t see DNSSEC as moving the needle on outage frequency here.

          I do see more folks outsourcing their DNS management (eg, AWS Route 53, CloudFlare) and as we’ve seen from CloudFlare’s DNSSEC support, this pays off in getting professionally managed DNS+DNSSEC by people who understand it.

          The Internet is full of sites which enumerate mistakes and try to say that the existence of mistakes by individuals means the technology should die. Finding one website which does this for DNSSEC does not mean that DNSSEC is dying.

          1. 2

            Oh, and I agree that DNSSEC is ugly and problematic, but for verifying authenticity of name resolution, it’s the only solution we’ve got today. So today, it’s what we deploy. Let’s not abandon something which works, just because it’s not perfect.

            1. 1

              I am very annoyed because I wrote a 3 page rebuttal to every point and accidentally force closed my browser when switching apps.

              tl;dr it’s a dead RFC from 1997. Its usage is measurably on the decline. We peaked at ~1% of the important domains (net com and org).

              They tried to use DANE for IRC and nobody wanted it. They removed DANE code from Irssi.

              DANE for SMTP is a poor argument with the existence of LetsEncrypt. This argument is so tired I don’t know why it persists.

              If you can convince Green, Ptacek, Bernstein, or Marlinspike that DNSSEC is worth having I will rescind my statements. But it’s not going to happen. It’s awful, adds vulnerabilities to DNS resolvers, and has too many failure modes which are completely opaque to end users/applications.

              DNSSEC is basically Wayne’s ex-girlfriend Stacy. “It’s over. Get the net!”

              https://youtu.be/RJRvPmONjVY

              If you want security here’s what you do: you use dnscrypt or equivalent to a large provider like OpenDNS. They have the means to actively monitor for cache poisoning and other attacks worldwide in real-time. Voila, you know your DNS isn’t being tampered with.

              1. 1

                For browsers/HTTPS, we have a semi-working model now without DNSSEC. I can’t speak authoritatively to the trade-offs which apply there.

                SMTP I can speak authoritatively on: I added the initial DNSSEC support to Exim (although Jeremy Harris later picked it up and did the bulk of the work to take it to full DANE support) and talked extensively with Viktor Dukhovni of Postfix on the DANE spec, refining the text which became the RFCs.

                For Submission/Submissions service, or smarthost identity configuration, Let’s Encrypt is a sufficient answer.

                For MX delivery, LE buys you nothing. For TLS security, you need an identity which you can verify. That identity can not be derived by insecure means. With email to MX, that means the only verifiable identity is the domain. The mail-domain is rarely in the certificate SAN list. To fix this, you need a way to map from the domain to a host identity, securely. Further, it needs to be done in such a way that one external domain important to your organization (“when the CEO starts shouting about mail not going through”) can’t force domains into your trust-store for use with all other domains. This is why DANE for SMTP prohibits TLSA Usage fields 0 and 1. This is one of the severe flaws in MTA-STS.

                My current recommendation for MTA security for MX hosts is to get a Let’s Encrypt cert, setup DANE referencing that, and also set up the MTA-STS publishing side to let senders such as Gmail work, IF you’re willing to keep tracking the MTA-STS drafts for further breaking changes. This is what I set up for exim.org and for some of my own domains.

                Thus Let’s Encrypt solves absolutely nothing for MX SMTP.

                “If you want security” … I say that you first need to break down what you mean by “security” and who “you” is. When it comes to DNS, there’s authenticity and there’s privacy. dnscrypt provides privacy between you and whomever you talk to, as does DNS-over-HTTPS and DNS-over-TLS. dnscrypt does not provide any protection against tampering, whether at the resolver provider (under court order) or between them and the upstream.

                If “you” is an end-user or home operator, then you can carefully pick a DNS resolver and choose one who don’t actively tamper with the results for profit (and where you trust the jurisdiction, etc), then using an external provider with very-local-to-you resolvers, or with client-subnet support, pays off and gets you fast easy wins and is usually worth doing. If you pick one which does DNSSEC validation for you and has privacy/integrity between you and them, then you’re in a strong position. Google, CloudFlare, censurfridns, Verisign Labs, these are decent choices.

                If you’re a mail-server operator with bulk DNS traffic, that’s less tenable. There’s a reason that for decades now it’s been best practice for MTA operators for domains handling any non-trivial traffic to have a local resolver, either on-subnet or on-host. Thus the large external providers don’t help.

        1. -1

          Urgh, what a horrible page. @johnblood this page is a clusterfuck, hope your ad revenue is nice.

          I’m not convinced, the cost of the extension boards is insanely high given what the cost would be to just shove it all on one board and that two of them don’t have active components - you need to purchase the actual e.g. WNIC or SFP module on top, not to mention antennas for wifi

          With the super professionally produced video makes it seem even more like crowdfunding fodder to make a buck.

          1. 3

            cz.nic appears to be a non-profit; I’m not familiar with Czech law, but section 46 of their statutes prohibit disbursements to their member base, and it’s an association of legal entities, not a share-based structure. The statutes: https://www.nic.cz/files/nic/doc/Stanovy__20170701_AJ.pdf

            So, no “making a buck”; I believe that the people involved are all salaried. cz.nic have been doing good solid open source software work for many years. It honestly looked to me like a fun video put together in the spirit of crowd-funding, relying upon “humor” and editing away anyone going “uhm” or “er”.

            I backed the Turris Omnia and am Very Happy with the resulting product, as it’s by far the best home router I’ve owned. It’s things like “actually pushes out software updates with security fixes, in good time” which help keep it that way. So I backed the Mox too, for more ad-hoc use.

            1. -1

              Thank you for your kind words.

            1. 6

              So, Perl’s Parrot VM system was just ahead of its time?

              1. 15

                Given how much confusion is created by systems which do allow “foo.bar” and “foobar” to be different email addresses in the same domain, for different users, Gmail saying “we won’t allow that” is wonderful. Given how often people don’t correctly write down dots or whatever when copying email addresses, Gmail’s behavior is also good for getting the mail to just flow.

                Saying Netflix shouldn’t have to have insider knowledge misses that (1) they made assumptions which required that insider knowledge, and (2) most sites make insider assumptions. Continuing with 2 for now: every site is allowed to have whatever rules they want for the left-hand-side (LHS), and per the standards the left-hand-side is case-sensitive. If I want “bar@” and “bAr@” to be different email addresses, that’s my business. Any email handling system which generally loses case of the LHS is, technically, broken. The federation used by email allows whatever systems are responsible for a given domain to have complete control over the semantics of the LHS.

                In practice, the most widely deployed LHS canonicalization is almost certainly “be case-insensitive”, followed by “have sub-addresses with + or perhaps -”. IMO, the Gmail dot handling is incredibly sane and everyone running mail-systems should seriously consider it.

                If I went out filing bugs against systems which made the case-insensitive assumption, then I’d be dismissed as a crazy person. In practice we (almost) all accept that some assumptions will be made. If you want to be safe, or not have to make assumptions, then validate the email addresses used at signup.

                A friend had some issues with his wife because four different people had signed up for Ashley Madison using his email address (first-name @ gmail.com) and A-M never validated. Perhaps the potential consequences here highlight why not validating email addresses at sign-up or email address change should be interpreted (legally) as reckless negligence. If you’re going to decide that you don’t need to validate, then you assume responsibility for knowing about the canonicalization performed by every recipient domain. So the author of this piece is flat wrong: the moment Netflix decided to not bother validating email addresses, while also using email addresses as authentication identifiers, they assumed complete responsibility for the security consequences of having correct information about canonicalization used in every domain, to keep their authentication identifiers distinct.

                (disclosure: as well as the hat, I’m also a former Gmail SRE, but had nothing to do with this feature)

                1. 1

                  Why not just disallow . in email addresses?

                  1. 1

                    About 40 years too late to decide to start restricting what can be on the LHS. That’s entirely up to the domain. You can have empty strings, SQL injection attacks, path attacks and more, because you can have fairly arbitrary (length-restricted) strings, if you use double-quotes. The LHS without quotes is an optimization for simple cases.

                    Given that there exist today domains where the dot matters, and fred.bloggs != fredbloggs, instead those belonging to different people, any site which disallows dots in sign-up will cut off legitimate users.

                    Just validate.

                1. 4

                  Too fast and responsive to be legitimately phpBB.

                  1. 1

                    I can’t help but wonder at having does-added methods which override the self-same method and using this to implement a state machine.

                    1. 15

                      There are various command-line concoctions such as password-store which stores PGP-encrypted files in a Git repo, but that doesn’t improve my situation over 1Password. I would still have to manually look up passwords and copy them to the clipboard. These command-line packages also lack mobile apps and syncing.

                      That’s not completely true. I use pass with syncing via a private Git repository, there’s a Firefox plugin with autofill support, good mobile clients for both Android and iOS. The best password management system I’ve used (I’ve been a user of 1Password for about 3 years before that). Being able to do git log to see password history for a website is awesome. Bonus point: OTP plugin works like a charm.

                      1. 2

                        The major problem with pass is that the mobile clients don’t supported encrypted git remotes, which is a huge problem: anyone with read access to the remote repo can see what your accounts are.

                        1. 4

                          So put the remote on a system you physically control ;)

                          1. -3

                            Given that git is distributed and makes it very easy to push from any client to any remote, it’s a pretty safe assumption that one day you’ll accidentally push to another remote where you realize shortly after doing so that this was A Bad Plan.

                            1. 14

                              … it’s pretty hard to accidentally push to a remote you never set up…

                      1. 7

                        The key to this work is throwing out old assumptions and requiring explicit guest support.

                        Historically, VM systems “had” to be able to boot guests which didn’t need to know they were in a VM, but the guest could optionally implement dedicated “hardware” drivers to have more optimized I/O than through emulated devices. Still, you could take the install media for various OSes and install them all.

                        This project requires explicit guest support for basic boot-up. Which is great, if your model is around managing everything in the guest and you can make that demand. They reap major benefits from doing so, and there’s no reason for everyone creating images for deployment needs to be held back because the target system is also trying to be compatible with stuff which you’ll never deploy. But it’s very much a case of needing the guest to be compiled explicitly for the target hosting platform.

                        Since the competition is structured containerization with something like a Dockerfile defining entry-points, environmental dependencies, etc, this is not different. It’s a great trade-off. But it is made possible by the target audience having moved and adapted to a world of on-demand machine instances and container workloads.

                        1. 1

                          Link now 404s; going from http://vjolt.org/archives/older-volumes/ to volume 2 issue 1, we see:

                          1. The Use of Encrypted Coded, and Secret Communications is an Ancient Liberty Protected by the United States Constitution [html] [Adobe .pdf format]
                            By John A. Fraser III
                          1. 2

                            “I ask you to judge me by the enemies I have made.” — Franklin D Roosevelt

                            1. 3

                              Neat troll at the end:

                              id also like to thank andrew loyd weber, inventer of the world wide web for making the internet

                              [sic]

                              1. 4

                                Author is generous. Originally from UK, moving from NL to US in 2006 I ended up remarking to colleagues that the US banking system was like moving back to the 1970s. 11 years later I’m still using passwords for bank website authentication, with knowledge of a bank account number being a closely held secret.

                                IBAN fee-free international transfers to friends or for paying bills (same day in-country, instant if same bank chain); fee-free cross-bank ATM withdrawals; sane security for web sign-in or initiating transfers; banking websites which don’t require you to lower the browser security settings to work; PIN-less on-card small-balance cash so you’re not typing your PIN into everything (paying for parking or using vending machines), all stuff I am still waiting for. Well, aside from the browser security settings: American banks have mostly caught up there.

                                1. 2

                                  IBAN fee-free international transfers to friends or for paying bills (same day in-country, instant if same bank chain)

                                  SEPA Instant Credit Transfer is launching in November and will hopefully see support from banks somewhen next year. It will allow instant (less than 10s) transfers across banks.

                                1. 11

                                  It was inevitable.

                                  If only it made him complete a quest with a random character in adventure mode before continuing to update his system. :D

                                  This is one good reason why I always use full, explicit paths in my scripts.

                                  1. 12

                                    This is one good reason why I always use full, explicit paths in my scripts.

                                    but then they are not portable

                                    1. 8
                                      qbit@slip[0]:~λ which bash
                                      /usr/local/bin/bash
                                      qbit@slip[0]:~λ
                                      
                                      1. -2

                                        Just always use /bin/bash and don’t care about distros/BSDs that don’t care enough about their users to place bash there. Problem solved for 99% of users. ;)

                                        1. 10

                                          or you know, ignore developers that don’t care about their downstream packagers and users to learn about /usr/bin/env? Problem solved for 99% of users caring about cross platform software.

                                          1. 3

                                            Not all distros may have env in /usr/bin, so not necessarily an improvement over the extremely common /bin/bash. Then there’s the problem of what /usr/bin/env df might return…

                                            1. 12

                                              On NixOS, env is the only thing in /usr/bin, so that’s at least one distro that developers can avoid breaking by using it.

                                              1. 7

                                                IME, globally /usr/bin/env is more likely to exist than /bin/bash. The person who has this dwarf fortress issue seems to have done foolish things to get df to be dwarf fortress so I don’t think this situation is a valid motivator for something that is closer to being a standard (/usr/bin/env) than something that’s not (/bin/bash).

                                                1. 1

                                                  As long as neither /bin/bash nor /usr/bin/env are standards, there can be issues. In addition to this, there is no agreed upon registry for reservation of the names of the executables.

                                        2. 1

                                          Keep in mind, for this to happen, the user probably changed the system default PATH to put Dwarf Fortress first. sudo usually scrubs the environment to default settings unless you’ve taken steps.

                                          1. 10

                                            Read the comments on the answer. He dropped a symlink into /usr/local/bin to make the command available to him. /usr/local/bin/df ?

                                            1. 1

                                              I don’t get this. Did he override the linux df in /usr/local/bin?

                                              1. 1

                                                The original df is in /bin. He placed another df to /usr/local/bin. The default PATH on Ubuntu has /usr/local/bin before /bin, so his df gots executed instead of the system one.

                                              2. 1

                                                Why would they use df? Did they not know of the other df? Or did they just not care? I don’t care if someone else set the PATH variable and it isn’t your fault, at best it is confusing, at worst someone messes up an install/copy/backup script, with potential to hose their system.

                                                1. 3

                                                  Not all the world is Unix. I can’t confirm with cursory searches, but given the character set choice (CP437) I strongly suspect that Windows was the original platform.

                                                  1. 1

                                                    It was

                                          1. 2

                                            Isn’t stuff like better upstream standards around tooling, but without having to reinvent the wheel and set everything up for scratch, why organizations like The Apache Software Foundation exist? Defined software, governance, tooling etc, leaving the projects themselves to get on with the software they care about?

                                            1. 6

                                              Anyone know if any browsers explicitly define their caching semantics for what they store, for a live-streamed object which is never “terminated”? This isn’t server-push object replacement, after all, but one object which has internal framing, and so keeps getting larger. So if the 4kB/sec claim on the page is right, then if you leave the browser open for a day then that’s a third of a GB. I know people who can forget their browser tabs for days on end.

                                              1. 4

                                                I remember on older webcams, their web interfaces could stream video via motion JPEGs, which just sends endless JPEG frames to the browser. I don’t think it was a problem back then even for those old browsers.

                                                1. 1

                                                  I don’t think it was a problem back then even for those old browsers

                                                  Even if it was a problem, this was the nineties we’re talking about. People would barely even notice if you crashed their browser or computer and they had to restart it, so long as you didn’t crash it much more than once an hour or so.

                                              1. 16

                                                One person at work put it best: “layers are only ever added, never removed.”

                                                That just stings so painfully true.

                                                1. 7

                                                  Every problem in computers can be solved with another level of abstraction–except for the problem of too many levels of abstraction!

                                                  1. 5

                                                    Nonono, I don’t need to care about those five layers there. By using a layer of abstraction to hide that those layers exist, I can make it look like there are only three layers instead of seven.

                                                1. 1

                                                  For my new business account (with custom domains), I’m using ProtonMail. I had used FastMail in the past, and it was fine, but I wanted to support the FOSS aspect of ProtonMail (pretty much the same price for both). I thought about running my own email server on Digital Ocean, but even at $5 a month, that’s more expensive than ProtonMail’s “Plus” plan ($48/year) or FastMail’s $50/year.

                                                  1. 2

                                                    The Fastmail folks are the de facto (if not now de jure) maintainers of Cyrus IMAP and have open sourced their work there. They’ve been quietly supporting OSS right for years.

                                                    1. 1

                                                      Good to know! I guess ProtonMail’s web site/marketing is oriented more towards techies, e.g., OSS is a “feature” for them. So nice to know that either company is a good option for supporting OSS.

                                                  1. 1

                                                    For personal stuff, I run my own server (exim etc). The technical side of things is fine there.

                                                    These days I have my own company, and one consideration is “how much proof is it, if I have an email record of something and there’s a dispute”. If I ran the mail-server and the logs, there’d be a high bar to prove something is a truthful record. As a one-person shop, I don’t have the staffing for it to be otherwise. By outsourcing my email, to people I presumably can’t influence to fake logs, I gain the ability for third-parties to trust that if I have evidence that it’s a truthful record.

                                                    So I’m using Fastmail for my LLC. I’m happy with the service. There was some hinkiness around account types and 2FA because they shoe-horned support into existing auth protocols “strangely”, but they’ve gotten past that. Their public IMAP is excellent, the web-browser works well enough to handle the bulk of stuff conveniently and the iOS app works well enough for my needs. My biggest issue is the number of folks assuming Google Calendar and the more limited interop with sharing calendars between accounts, so I ended up creating a gmail-less Google account and eventually enabling Google Calendar on that too.

                                                    1. 1

                                                      a gmail-less Google account

                                                      Is there a specific procedure for that? My cursory search didn’t bring up anything noteworthy.

                                                      1. 1

                                                        I just went to accounts.google.com in an incognito window, saw More options, clicked that, and the first item in the pop-up is Create account.

                                                        You’ll need a working email account elsewhere, and the Google account will be tied to that address. If it’s in a domain which later transitions to Google Apps then there will some reconciliation work needed by the domain admins to handle stuff like Calendar, I don’t know what’s involved these days (and don’t recall what was involved back when I did know).

                                                    1. 2

                                                      Sympathetic as I am to OP as a (Neo)Vim user, I feel sad that it’s so hard to remix the advantages it finds (resource usage, responsiveness, large-file support) with a non-modal UI.

                                                      Also, on large-file handling, this comment on vis was useful.

                                                      1. 1

                                                        Facepalm at naming an editor the same as a standard 4.4BSD command. :(