Flying Cars and Food Capsules

2011-05-25 21:02:52 by jdixon

Today I was installing RHEL 6.0 on a remote Xen domU using virt-install with VNC. None of the Mac VNC clients I tried was able to render anything remotely usable. I tried various encoding schemes and color resolutions, to no avail. And where Chicken of the VNC rendered a screen seemingly inspired by LSD trips, RealVNC simply shit its pants and crashed.

So I downloaded an OpenBSD 4.9 iso and installed it in VMware Fusion. Installed tightvnc-viewer from packages. And in less than 10 minutes, I had a working X11-over-SSH tunnel to the remote Xen VNC console. From my Mac desktop. Through an OpenBSD VM. Across the fucking internet.

Welcome to the future. Sorta.

Updates on the OpenBSD IPsec Gossip

2010-12-15 15:22:57 by jdixon

As expected, news of a possible ten-year-old collusion to introduce backdoors in the OpenBSD IPsec stack have spread like wildfire. ArsTechnica, The Register, CNET, Forbes are among a long list of mainstream news outlets to chime in on these allegations.

Dag-Erling Smørgrav adds one point to my original commentary; that is, the action of introducing backdoor code into OpenBSD by the FBI would not fall under a "recently expired NDA", as Greg Perry claims. I think Dag is probably correct here. Even if Greg's claims are eventually proven true, something like this would more likely fall under a TOP SECRET (or even as high as TS/SCI) classification, which is typically declassified after a 25-year period. Releasing this information prematurely would land Greg in a steaming lake of hot water.

At least two of the named parties have already stepped forward to refute Greg's story. Scott Lowe posted to the openbsd-tech mailing list, stating that he does not, nor has he ever, had any affiliation or employment with the FBI or the OpenBSD project. Jason Wright followed up a short while later, demanding an apology from Greg Perry and detailing which parts of the code base he worked on during the affected period.

" I will point out that Greg did not even work at NETSEC while the OCF development was going on. Before January of 2000 Greg had left NETSEC. The timeline for my involvement with IPSec can be clearly demonstrated by looking at the revision history of:
	src/sys/dev/pci/hifn7751.c (Dec 15, 1999)
	src/sys/crypto/cryptosoft.c (March 2000)
The real work on OCF did not begin in earnest until February 2000."

I'm personally relieved to see the accused parties step up and assert their innocence. Unfortunately, the story won't end here. The mere possibility of impropriety by these developers or the FBI means the OpenBSD project will have to work long and hard to regain its tarnished reputation. A thorough code audit is the only sure-fire way (and even then, is not guaranteed) to clear these charges.

If you'd like to help with the audit, please consider matching Dag-Erling Smørgrav's triple bounty, or better yet, donating directly to the OpenBSD project.

Deconstructing the OpenBSD IPsec Rumors

2010-12-14 21:58:01 by jdixon

Theo de Raadt posted an email to the openbsd-tech mailing list Tuesday evening which contained details of alleged backdoors added to the OpenBSD IPsec code by government contractors some ten years ago. Subsequent posts from Bob Beck and Damien Miller add further commentary, but neither confirm nor deny the allegations. Damien goes so far as to propose a number of possible avenues as the most likely places to begin a new audit.

One of the purported conspirators is Jason Wright, a cryptology expert at the Idaho National Laboratory, who committed a significant amount of crypto and sparc64 code to the OpenBSD project. Although I haven't seen Jason in years, I consider "Wookie" a good friend and hope these accusations are false. If Damien's hypothesis is correct, it seems highly unlikely that Jason (or any US developers) introduced backdoors directly into the crypto code. A more likely scenario would be the malicious reuse of mbufs in the network stack.

As Brian T. Merritt suggests, it seems even more likely that Linux would be similarly "exploited". Lest we forget that while these claims against OpenBSD revolve around FBI involvement, Linux has had significant portions of its security code infiltrated by the NSA. Between these two code bases you're talking about an enormous portion of the networking infrastructure that powers the Internet.

As a former OpenBSD committer, this saddens me. Not just because of the possibility that this might be true, but that regardless of whether or not this could be true, it means that developer and community resources will be swallowed into the rumor vacuum for untold weeks and possibly months. This results in less innovation, fewer bugfixes, and worst of all, a growing distrust among everyone involved.

This story has all the characteristics of being newsworthy for a long while. It has already made major headlines across Twitter, Slashdot, Reddit and OSNews. Most articles and tweets imply that the claims are fact, without any investigation of the source claim or the actual code in question. I hope that all parties involved are cleared of any wrongdoing. Either way, the cat is out of the proverbial bag. These claims will undermine a significant portion of goodwill and trust among all Free Software / Open Source projects. In the end, nobody wins.

Announcing Blogsum-1.0

2009-11-14 12:56:56 by jdixon

I'm happy to announce the release of Blogsum-1.0. This release includes a number of bugfixes and a couple enhancements over 0.9:

  • Fixed preview mode
    Preview content is now encoded so markup will always get recreated properly in your browser.
  • Tag Cloud
    Thanks to Jim Razmus who submitted this new feature. Make sure you add the new $max_tags_in_cloud setting to your local Blogsum.pm.
  • Update date when (re-)publishing
    The published timestamp updates when you publish or republish an article.
  • Fix timezones in db
    Fixed a bug where article or comment timestamps were always set to GMT instead of localtime.
  • Fix pagination
    Removed pagination view from all non-default views. That is to say, we shouldn't paginate when viewing by year/month or tag filters.
  • Minor aesthetic improvements
    Lots of whitespace fixes, a redesigned footer and the addition of a meta generator tag for Blogsum.
  • Example httpd.conf for Apache-2.x
    Thanks to Dan Colish for testing Blogsum with Apache-2.x and submitting his configuration example. This has been added to the examples directory as httpd2-blogsum.conf.

I'd like to also thank Johan Huldtgren for submitting Blogsum to the FreeBSD ports tree for inclusion. It has been accepted and will likely bring many new Blogsum users, which will inevitably cause me to struggle even harder against the onslaught of feature requests. ;)

Just kidding, I'm glad to see Blogsum gaining interest in the community. I've also updated the OpenBSD port, if you happen to be using that instead of following svn. Enjoy!

OpenBSD as an LDAP Client

2009-08-27 22:33:50 by jdixon

OpenBSD's ypldap daemon provides YP maps using an LDAP backend. It was introduced with OpenBSD 4.4 but doesn't seem to have received much exposure within the community. I've been meaning to convert one of our bastion systems from using local accounts to LDAP, mainly for convenience.

The migration went smoothly except for the lack of a netid.byname mapping. Pierre-Yves Ritschard (pyr@) told me this is high on his to-do list. Without this mapping, sudo is unable to getpwuid(). Therefore, any accounts requiring sudo rights (read: administrators) will need to remain as local accounts until this is resolved.

The vast majority of this write-up was taken almost verbatim from a similar posting at the Helion-Prime Solutions blog. I've filled in some missing bits with regards to the sudo issue as well as ypbind issues over non-broadcast segments.

Read the rest of this story...

Shiny Objects and WTFs

2009-08-13 03:42:54 by jdixon

I've never claimed to be a prolific hacker. I take much longer to complete a simple piece of code than even your typical hobbyist programmer. I'm easily distracted by shiny objects and WTFs.

Nevertheless, I finally gave in and threw together something resembling a blogging app. There are no fancy features yet, and likely never will be. It currently does about 90% of what I want it to do, which is closer to 2% of what the typical blogging/CMS application is capable of. It's my own KISS approach with a healthy peppering of careful input handling and a simple SQLite backend.

If you've been looking for a small blog application, particularly one designed for running in OpenBSD's default httpd(8) chroot, then Blogsum might be good for you. If not, that's ok too. Let the next guy have his World Domination. I just want to blog some.