Absolutely nothing to do with ninjas or Atari.

Wed, 13 Jan 2010

Airport Extreme Shenanigans

I recently got my hands on an Airport Extreme from Apple. It's a nice little device to replace my old linksys. I was using my Soekris board to do that but something which speaks AFP natively is nice to have, especially now that I have 2 Apple machines in the house. Have no fear, my Soekris box will still be my border device, and will run a couple of key services too.

While configuring the Airport to replace my Linksys I was unable to find a way to set the internal IP address of the device. I can tell it to use NAT or just bridge at layer 2. If it is in NAT mode I can't tell it what to use for an internal IP address, at all. It defaults to 10.0.1.1, 192.168.1.1 or 172.something.1.1. This totally screws up my network, and AFAICT there is no way to change it, at least after spending 10 minutes looking through their administration stuff and online.

Back when I learned networking basics your default gateway lived at the top of the network address space, and I've always configured my networks to be like that. I understand that it doesn't have to be that way, but it's just the way I've rolled for as long as I can remember. At some point it apparently became fashionable to put your default route at the bottom. Seems kind of silly to me but whatever, as long as I can change it I don't care what the default is.

I had a machine at 192.168.1.1/24 already, which obviously was conflicting with my Airport Extreme. So now I have to re-configure that machine (I have a handful of static machines because they serve various things out to the public and changing firewall rules to match DHCP changes is annoying). To make matters worse every machine on my network that was static was using 192.168.1.254 as a DNS server, so every time I SSH'ed into a machine to re-configure it I had to wait for reverse DNS to timeout.

If Apple made it so you can not change the IP address of the airport extreme I would not be surprised. Apple products are great if you fit into their very narrow use-case. But the minute you try to do even basic things that are normal EVERYWHERE else in the world you end up fighting with Apple stuff. I can point to multiple instances of where Apple products are total failures. This Airport Extreme business is just one example.

posted at: 21:23 | tags: apple, rant | path: /entries/rant | permanent link to this entry

Tue, 14 Apr 2009

Gnome requires Apache?

wxs@syn wxs % make -C /usr/ports/x11/gnome2 all-depends-list | grep apache
/usr/ports/www/apache22
wxs@syn wxs %

WTF? Who thought that including an entire webserver just to run a desktop system is a good idea?

posted at: 16:16 | tags: freebsd, rant | path: /entries/rant | permanent link to this entry

Wed, 08 Apr 2009

Muscle Memory is a Good Thing (and why gratuitous UI changes are bad)

Muscle memory is a wonderful thing. I do things on my computers on a daily basis that I don't even think about doing. The movements are just ingrained into my muscles. Office 2007 has broken that (yes, I still use Windows for a bit of work). My muscles know that 'alt-e x' means "cut" but apparently that is no longer the case. I don't know why they decided to get rid of this, but it is very painful to me because I highlight a bunch of stuff I want to cut out and I hit 'alt-e x' and end up replacing the entire selection with the letter 'x.' It is annoying beyond belief.

Think how bad it would be if 'yy' in vi suddenly did something else. A LOT of people would have to change something which has been burned into their muscles for longer than I care to think about. If Microsoft suddenly changed 'alt-space n' to do something other than minimize I would likely flip out and call my friends who work there and scream until they put it back. Some of my muscle memory things for Windows actually go all the way back to my early DOS days! If 'alt-f x' does anything other than exit I'd go insane.

posted at: 19:00 | tags: office, rant | path: /entries/rant | permanent link to this entry

Mon, 27 Oct 2008

Open Source VS Closed Source and Security Implications Thereof

Note: I'm going to completely ignore the classic Reflections on Trusting Trust or Countering Trusting Trust through Diverse Double-Compiling but I do recommend reading them as they are both quite interesting. There are a lot interesting things that have happened, and are happening, in this area but they are entirely outside of my philosophical argument contained here.

I'd like to put my thoughts down on something I've been hearing for years now. Is the assertion that open source means better security true? I'm going to argue that this assertion is false. My position is based entirely upon my opinion, semantics and philosophy.

Take, for example, the following code:

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
    char buf[1024];
    strcpy(buf, argv[1]);
    printf(buf);
    return;
}

Does the license under which that code is distributed (or not) have any bearing on the fact that it's horrible code?

To think that the code being open or closed affects it's security is absurd. The fact that source code is available under any license does not have any affect on it's correctness - from a functionality, completeness and security perspective. There is a lot of open source (however you define that term) code in the world. There is also a lot of closed source code in the world. How the code is licensed doesn't matter if it's not being reviewed by subject matter experts. If I were to write a program that used the above snippet of code (and I can see at least two major vulnerabilities with it without even thinking) it would be equally as insecure regardless of my choice to make it open source or not.

Open source code does not mean better security. You need only to look at every Debian (and Debian derived distributions) used over the time-frame that their OpenSSL library was crippled to see my point. The code in question was open source, but nobody noticed the bug for years. Nobody even noticed that the change was a bad one when it went into the Debian tree. So if open source code does not mean better security does closed source code mean better security? One could easily envision a closed source vendor making the same mistake as Debian.

The difference between the two scenarios is that it would be inherently harder to find this mistake in a closed source tree due to the lack of access by the general public. The key piece is that open source code results in a lower barrier to entry for subject matter experts and hobbyists to review the code. The important distinction to make is that access to the code does not equate to review. This ensures that the code can be reviewed but does not ensure that it is reviewed. Does this mean that closed source code is not reviewed by subject matter experts because they can't get access? Absolutely not. I know many people who do source code audits on both code bases and in the case of a closed source tree they are always required to sign NDA documents (in truth, they are often required to sign them even for open source code audits as the findings are what are not to be disclosed). Do not make the assumption that open source means reviewed.

This entire position is based upon the premise that open source results in audits by honest individuals that will work with the vendor to fix the bug. There are people in the world who will not do that. They will either release full details of the bug before a patch is out or they will simply sit on the bug for their own benefit. In this case closed source is a good thing because it raises the bar for audits. They have only the binary to use in their audit, which is significantly harder to do.

The security of a piece of code is independent of the license under which it is written. Open source does make things easier to review. Closed source may be a good thing if your threat model is right. Don't assume that open source code has been audited. Don't assume that closed source code has not been audited. At some point you have to trust people to do the right thing, because who knows if your compiler has been compromised. ;)

posted at: 18:27 | tags: security, rant | path: /entries/security | permanent link to this entry

Wed, 24 Sep 2008

Full RSS Feeds Only, Please.

The whole point of RSS is so that I can aggregate all the sites I like in one place and not have to visit each separately. I simple fire up my RSS reader of choice and browse through the headlines looking for things of interest. What really makes me annoyed is when one of the stories is a couple of lines long with a "read more" link. Why do I have to click the link to go to your site to read the story? Can't you just provide it to me in full so that I can enjoy it in the context of my RSS reader?

Maybe it's an advertisement thing? Who knows? All I know is that having to click another link to get the rest of the story is pretty god damn stupid. This also goes for stories which cover multiple pages. This is the modern internet - an extra couple hundred K of text is not going to make me flip out. If you're doing it for advertisement reasons stop being _that_ guy and make money on a real product not advertisements.

posted at: 21:03 | tags: rant | path: /entries/rant | permanent link to this entry

Fri, 29 Feb 2008

Flickr Sucks.

My flickr account expired recently and I wanted to renew it. I tried a few weeks ago and it didn't work. I tried again today thinking it was a transient problem on their end. Turns out it's still not letting me renew my account. Their error message is worthless and their help is equally as worthless. Maybe one of my friends at Yahoo! will see this and tell me what I'm doing wrong. All I'm trying to do is pay with either my credit card or paypal.

Sorry, there is a problem with this payment method. Click here to use another payment method or edit your payment information to proceed in purchasing this service. (4) Please see http://help.yahoo.com/help/us/ordering for further information. If you are using PayPal as a payment method for this service, please review your PayPal information to make sure it is accurate and that the funding source associated with your PayPal account is valid and has sufficient funds for this purchase.

I just looked at my bank account and I have at least 3 purchases from Flickr for this. Seriously, what a POS service they provide.

UPDATE: Turns out they keep my address on file (gee, thanks Yahoo!) and it didn't match the one my bank has. Now I need to update my address with Yahoo! every time I move? Tell me again why they need my address and why they are submitting it to my bank? Is it too hard to give me a useful error message when something wrong happens? Now I need to keep an eye on my bank account and make sure the charges are properly dropped.

posted at: 10:34 | tags: flickr, stupidity, rant | path: /entries/rant | permanent link to this entry

Wed, 21 Nov 2007

Disappearing Window With Expose?

I just installed the 10.5.1 update tonight. This update requires a reboot. The window to do the reboot popped up and I wanted to finish what I was working on so I brought a terminal back into focus and kept working (exhibit A). After getting to a decent spot in my work I figured a reboot was a good thing to do while I stretched my legs. I used expose to quickly find the reboot window, only it had disappeared (exhibit B). Gee, thanks Apple - that was really helpful of you.

posted at: 21:07 | tags: apple, rant | path: /entries/apple | permanent link to this entry

Tue, 13 Mar 2007

Further Evidence Why Bugtraq Sucks.

Further evidence why Bugtraq is no longer a useful source of information regarding vulnerabilities and productive discussions thereof: Exhibit A. Honestly, do the moderator(s) of Bugtraq even read things and apply some form of logic?

posted at: 12:25 | tags: rant | path: /entries/rant | permanent link to this entry

Fri, 09 Mar 2007

SNR on Bugtraq is way too high.

Here's an email that ended up on Bugtraq recently:

Date: 8 Mar 2007 08:20:40 -0000
From: r00t2000@hush.com
To: bugtraq@securityfocus.com
Subject: Word Press Sensitive Directory exposure (SQL)

#Found By: r00t[ati]

#Web App: Word Press

#Version(s): unknown

#Level: low

#File Name: admin-functions.php

//SQL EXAMPLE ERROR:

Fatal error: Call to undefined function __() in /usr/local/www/****/data/wp-admin/admin-functions.php on line 1593


Thanks,

r00t

Here's another email that ended up on Bugtraq a while ago:

Date: 23 Dec 2005 09:16:00 -0000
From: hackeriri@yahoo.com
To: bugtraq@securityfocus.com
Subject: Found new bug

                            In GOD We Trust
Kachal667 Under9round Team (KuT)
Hi,
Here's my(LrK) new advisory about PHP Website.

PHP System - Input Data(simple XSS) vulnerabilities
Date: 02/11/2005

Summary
-------

PHP is a language for programming and it is very good language for portal programming.
we se some portal with php like:
PHPBB , PHPNuke and ....


Details
-------

If programmer is not professional, probably he will have make a mistake.
if he dont stop some tages like:
  <script>alert(document.cookie)</script>
  <iframe src=http://eg.com/deface.htm>

for fix it u should write simple code for stopping iframe or script or ...

http://www.PHP.com


Lone Rider Knight

Why does Full-Disclosure (the mailing list) suck? Because it's unmoderated and any random person who wants to flex his e-wang (or woman doing whatever the equivalent is) can post the most worthless things. Bugtraq, last I checked, is moderated. So please tell me why the hell are complete worthless posts making it through.

Stop the posts about [insert random poorly written piece of web software here] or the "hey, we just updated a package in our linux distribution because it was vulnerable to something" posts. If I want to know when you update your package I'll go read your mailing lists (like I do with FreeBSD). And let's be entirely honest here. Anyone who is going to install one of those piece of crap web things is not going to read Bugtraq so stop letting stupid posts through.

The obvious argument against me is: "well, who the hell are you to decide what is important software and what isn't?" You're right, I'm nobody to say such things but the research and security communities need a viable outlet to have open, honest, and productive discussions regarding these things. Bugtraq is, on a VERY rare occasion, the place for it; but fighting through the worthless drivel on the list is very tedious and annoying.

posted at: 15:20 | tags: rant | path: /entries/rant | permanent link to this entry

About:

Wesley Shields
. (

Links:

• Personal:
  • ~wxs
  • syn.csh
  • nethack.atarininja
• Friends:
  • Shane
  • Crim
  • TXS
  • Chris
  • t0n
  • Nuzz
  • Brock
  • Resig
  • Ryan
  • ramO
  • Goffin
  • Jordan
  • Jeremy
  • SThomas
• Humor:
  • Exploding Dog
  • XKCD
  • Spamusement
  • Qwantz

Pimping:

Contact me | Back to top
© 2008 wxs | (Modified) Design by Andreas Viklund