the stream

Links to articles, short comments on various topics - basically the sort of posts I would have put out on Google+ in previous years.

Windows 10 1803 annoyances

Alexander Bochmann Wednesday 06 of June, 2018
So far, I've run into two major annoyances with Windows 10 1803...

First is that the mobile hotspot function (sharing a cellular data connection to other devices via Wifi) has been gimped, and trying to activate it just results in an "To share your connection, you need to add this feature to your cellular data plan first." - message:

Information around this is very scarce at this time - just a handful of search engine hits. From a post on the italian Microsoft forums, it seems you now need a Store app published by your mobile phone provider to use this feature. WTF, really? I've been tinkering for quite some time to find out where Windows looks up if using the hotspot is allowed or not, to no avail. Also see over here on Mastodon.

The other problem is that powersaving for the first gen switchable graphics in my old notebook doesn't seem to work anymore. In previous versions of W10, the integrated Intel graphics would be used on battery, using a lot less power than the AMD graphics chip.

As for minor niggles, it's not possible anymore to unconditionally set a network connection as "metered" to restrict Windows updates and background data - you'll have to set a daily or monthly data limit for the network, and then tell the system to always restrict background data (instead of within 10% of reaching the limit).

It really seems that W10 1709 was the sweet spot for this old notebook, but after I didn't see any immediate problems with the new version in the week directly after upgrading, I already deleted to rollback version...

converting animated GIFs to video...

Alexander Bochmann Sunday 15 of October, 2017
...is a major pain, since animated GIFs don't have a fixed frame rate: The animation can define a variable pause after each individual frame.

jzw has updated his resize.pl script (cache) with a new function to get around that limitation:

jwz wrote:
I'm converting them using the all-singing all-dancing image-and-video resizer that I wrote, resize.pl, which uses ImageMagick to extract each frame as a PNG then constructs an incredibly hairy ffmpeg command to put it all back together with the proper frame timing.

(via tedu)

old Acer Launch Manager on Windows 10

Alexander Bochmann Friday 22 of September, 2017
I'm still using the same Acer Aspire 3820G laptop that I bought over six years ago, though I've switched to Windows 10 during the "free upgrade" time. Mostly everything works, despite missing vendor drivers. The function keys (sleep, sound volume, etc.) have basic support, but I recently noticed that the wireless switch only toggles through a handful of states, none of which have both Wifi and Cellular modem enabled.

For Windows 7, Acer provided Dritek Launch Manager to enable or disable wireless functions (Wifi, Bluetooth, Cellular), but version 4.0.5 doesn't install successfully on Windows 10 - and newer releases don't support the 3820G hardware.

After some experimentation it turns out that just starting the Launch Manager Setup.exe in compatibility mode for Windows 7 (right-click, select "Troubleshoot compatibility") surprisingly does the trick - installer completes, and after a reboot the wireless function key actually starts Launch Manager instead of driving the Win10 builtin toggle.

Acer Launch Manager Win10
...so now I can use the Cellular modem and provide a Wifi hotspot at the same time.

more downtimes

Alexander Bochmann Sunday 20 of August, 2017
Ever since upgrading to OpenBSD 6.1 (and newer ports of everything), the web server seems to run out of file descriptors after some time, even though I have moved some of the older PHP applications over to a web hosting service.

Couldn't find out what that is caused by, up to now.

site's been down for over a week...

Alexander Bochmann Saturday 15 of July, 2017
...and I didn't even notice since I spent most of my online time on my Mastodon instance.

Somehow I managed to lose the p5-Time-TimeDate package on the OpenBSD web server, which in turn made vlogger fail to start up, and that resulted in all kinds of followup problems for the web service.

Unfortunately I have no memory of removing the package, so I'm not quite sure what happened there (but the date matches a day where I started moving some web sites off this server, so maybe I did some misguided cleanup)...

tedu: OpenBSD pledge doesn't work well on preexisting code

Alexander Bochmann Monday 22 of May, 2017
...he has staged a little exercise with ffmpeg to illustrate that, quite a fun read.

Also, I learned a new thing:

tedu wrote:
To find out more, we turn to ktrace’s little cousin, ltrace. It works almost exactly like ktrace (the output is even viewed with kdump), but it traces ld.so, the dynamic linker, instead of system calls.

Didn't know about ltrace up to now.

currently playing with Mastodon

Alexander Bochmann Sunday 21 of May, 2017
Mastodon is a federated microblogging platform that uses the OStatus protocol (amongst others), which allows it to talk to GNU Social / PostActiv / Friendica instances.

It's relatively easy to run your own instance, so I quickly set up one of them.

For the time being, I'm over there as @galaxis@mastodon.infra.de

Not yet sure if I'll move posting from this blog over there - probably I'll want to push posts from here into my Mastodon timeline instead. Since I'm running my own instance, it's the first service I'm relative comfortable to use via an app on my phone, so it's possible that I use the Mastodon account some more in the near future.

grsecurity discussion on the kernel-hardening list

Alexander Bochmann Thursday 11 of May, 2017
Long post by the "PaX Team" (cache) on the kernel-hardening mailinglist.

I'm generally sympathetic towards PaX and grsecurity developers, who have been developing innovative mitigations against several classes of attacks on the Linux kernel and applications over a long time - and I've personally been using their work on my own machines for ages. But really, communication is not their thing. Ok, they're in excellent company in the open source world with that, but it really harms their cause.

PaX Team wrote:
Upstream's goal is protecting as many people as possible.

the KSPP's goal is to further the agenda of the companies behind
it (which is extracting profits for shareholders). that has nothing
to do with "protecting as many people as possible" but everything
to do with business goals du jour. if what you claim was true,
they would have done it since the beginning and in a way that is
not restricted to only linux users.

(KSPP = Kernel Self Protection Project, sponsored by Google and the Linux Foundation, which tries to upstream select parts of the grsecurity patches into mainline Linux.)

slow weeks

Alexander Bochmann Wednesday 10 of May, 2017
Been on holidays, fought various IT- and real-life - problems, and set up a Mastodon instance.

Not sure if a microblogging service like Mastodon is what I'm actually looking for (I've never really warmed up to Twitter either), but it seems at least worth looking at. Or maybe I should have another go at running my own Diaspora pod (though I didn't use the last one I set up a whole lot).

I've not yet found a whole lot of interesting people, and the TrendingBot isn't much of a help, seeing as the most stable trending thing is #nsfw - I guess the porn sharing crowd is one of the early adopters again, unfortunately.

Cisco Nexus dropping commands due to old Linux kernel bug

Alexander Bochmann Tuesday 09 of May, 2017
Ivan Pepelnjak got feedback about his earlier post where he complains that Nexus OS is dropping lines from commands that are pasted into a terminal session with the system.

The drops were caused by a very old bug in Linux TTY device driver introduced in 2009, discovered in Ubuntu ~4 years ago and present in all Linux distributions with kernels between 2.6.31 and 3.11.0.

fallout of Chrome removing support for commonName matching in certificates

Alexander Bochmann Tuesday 09 of May, 2017
Some time ago, Google announced that they would only look at the subjectAltName in certificates from Chrome 58 on.

The compatibility risk for removing commonName is low. RFC 2818 has deprecated this for nearly two decades, and the baseline requirements (which all publicly trusted certificate authorities must abide by) has required the presence of a subjectAltName since 2012.

Yeah. Turns out that no one in our company had known about that, and almost all of the SSL server certificates signed by our internal CAs don't carry a subjectAltName. Which wouldn't be that bad if it meant just one more click to bypass the error message... But no, even when acknowledging the certificate problem dialog, Chromium refuses to load most of the resources from an affected server (Javascribpt, CSS files, images, and such)...

no more free grsecurity patches

Alexander Bochmann Thursday 27 of April, 2017
grsecurity announcement (cache). Same for PAX.

Brad Spengler & The PaX Team wrote:
Today we are handing over future maintenance of grsecurity test patches to the community. This makes grsecurity for Linux 4.9 the last version Open Source Security Inc. will release to non-subscribers.

grsecurity-3.1-4.9.24-201704252333.patch will be the last available patch for non-customers.

Theo de Raadt on OpenBSD CD releases (of which 6.0 was the last one)

Alexander Bochmann Monday 17 of April, 2017
On openbsd-misc: http://marc.info/?l=openbsd-misc&m=149232307018311&w=2 (cache)

Theo de Raadt wrote:
Having done 6.1 without a CD, we learn that incorporating CDs into the production cycle has been a big drag, basically 1 month out of 6. Other project developers and processes were locked to that cycle. It is shocking how easy a release cycle is without a CD. Generally our tree is always ready, we may be able to do future releases at the drop of a hat.

speculating on why nobody paid for the Shadow Brokers cache

Alexander Bochmann Saturday 15 of April, 2017
After the Shadow Brokers group dumped another piece of their "Equation Group" exploit cache yesterday, Microsoft anounced that almost all of the vulnerabilities from that had already been fixed. In September of last year, they also advised customers on disabling SMB1 on servers and getting rid of remaining Windows XP and Server 2003 installations.

There's been some speculation on the timeline of events (emptywheel.net).

I'd currently assume that the data that the Shadow Brokers have is in several hands (outside of the original owners), and that bits and pieces have been making their way around the ITSEC community for quite some time. Which might also be one of the reasons why no one ever bid on one of the several auction attempts.