Loading...
 

the stream

Links to articles, short comments on various topics - basically the sort of posts I would have put out on Google+ in previous years.

RFC 6762 reserved the .local TLD in 2013 for Multicast DNS!

Alexander Bochmann Monday 06 of August, 2018
I was not aware that RFC6762 (cache) reserves the ".local" TLD for exclusive use for Link-Local addresses with Multicast DNS:

RFC6762 wrote:
This document specifies that the DNS top-level domain ".local." is a special domain with special semantics, namely that any fully qualified name ending in ".local." is link-local, and names within this domain are meaningful only on the link where they originate.


Lutz Donnerhacke points to this in a German language article that explains how this leads to problems accessing a CIFS mount in a Windows domain that uses the .local TLD.

OpenSSH uses MD5 with salt to encrypt the passphrase for RSA keys by default

Alexander Bochmann Saturday 04 of August, 2018
Details here: The default OpenSSH key encryption is worse than plaintext (cache)

@latacora wrote:
The punchline is that the AES key is just MD5(password || IV:8). .. MD5 is very cheap to compute. The only thing this design has going for it is that the salt goes after the password, so you can’t just compute the intermediate state of MD5(IV8:) and try passwords from there. That’s faint praise, especially in a world where I can rent a machine that tries billions of MD5 calls per second.


Ssh keypairs for Ed25519 use a new format to encrypt the passphrase. Since 2013, it's been possible to create RSA keys with new-format passphrase encryption using ssh_keygen -o, but since that's not been the default, I don't assume anyone has ever used that (I haven't).

Might be worth replacing all RSA keypairs for pubkey authentication (and remove the corresponding public key from any authorized_keys files on all destination systems) - and all Ed25519 keys that use the same passphrase. Unless you're absolutely certain no one ever had access to the private key, in which case just upgrading the passphrase encryption using ssh-keygen -p -o -f <PRIVATEKEY> might be good enough.

Mastodon embeds on the blog...

Alexander Bochmann Saturday 14 of July, 2018
I've been pulling in some posts from my Mastodon instance to the blog, using iframes to directly show the embed view provided my Mastodon.

There's two problems with that:

One is, that someone who is using a content blocker like uBlock Origin or uMatrix likely won't see anything in these posts when they're blocking third party content by default. The other is - what happens when my Mastodon instance is down?

So I've now added direct links to each of the embedded posts, serving a dual purpose: There's first party content (the link), and also the Tiki engine creates a cache entry that can be accessed when the Mastodon server is unreachable.

I've also tagged all affected posts as mastodon embed, so I can easily find them and replace the content should I ever plan to shut down my Mastodon system.

Windows 10 1803 annoyances

Alexander Bochmann Wednesday 06 of June, 2018
So far, I've run into two major annoyances with Windows 10 1803...

First is that the mobile hotspot function (sharing a cellular data connection to other devices via Wifi) has been gimped, and trying to activate it just results in an "To share your connection, you need to add this feature to your cellular data plan first." - message:

688e5c02bff7c78f
Information around this is very scarce at this time - just a handful of search engine hits. From a post on the italian Microsoft forums, it seems you now need a Store app published by your mobile phone provider to use this feature. WTF, really? I've been tinkering for quite some time to find out where Windows looks up if using the hotspot is allowed or not, to no avail. Also see over here on Mastodon.

The other problem is that powersaving for the first gen switchable graphics in my old notebook doesn't seem to work anymore. In previous versions of W10, the integrated Intel graphics would be used on battery, using a lot less power than the AMD graphics chip.

As for minor niggles, it's not possible anymore to unconditionally set a network connection as "metered" to restrict Windows updates and background data - you'll have to set a daily or monthly data limit for the network, and then tell the system to always restrict background data (instead of within 10% of reaching the limit).

Capture
It really seems that W10 1709 was the sweet spot for this old notebook, but after I didn't see any immediate problems with the new version in the week directly after upgrading, I already deleted to rollback version...


converting animated GIFs to video...

Alexander Bochmann Sunday 15 of October, 2017
...is a major pain, since animated GIFs don't have a fixed frame rate: The animation can define a variable pause after each individual frame.

jzw has updated his resize.pl script (cache) with a new function to get around that limitation:

jwz wrote:
I'm converting them using the all-singing all-dancing image-and-video resizer that I wrote, resize.pl, which uses ImageMagick to extract each frame as a PNG then constructs an incredibly hairy ffmpeg command to put it all back together with the proper frame timing.


(via tedu)

old Acer Launch Manager on Windows 10

Alexander Bochmann Friday 22 of September, 2017
I'm still using the same Acer Aspire 3820G laptop that I bought over six years ago, though I've switched to Windows 10 during the "free upgrade" time. Mostly everything works, despite missing vendor drivers. The function keys (sleep, sound volume, etc.) have basic support, but I recently noticed that the wireless switch only toggles through a handful of states, none of which have both Wifi and Cellular modem enabled.

For Windows 7, Acer provided Dritek Launch Manager to enable or disable wireless functions (Wifi, Bluetooth, Cellular), but version 4.0.5 doesn't install successfully on Windows 10 - and newer releases don't support the 3820G hardware.

After some experimentation it turns out that just starting the Launch Manager Setup.exe in compatibility mode for Windows 7 (right-click, select "Troubleshoot compatibility") surprisingly does the trick - installer completes, and after a reboot the wireless function key actually starts Launch Manager instead of driving the Win10 builtin toggle.

Acer Launch Manager Win10
...so now I can use the Cellular modem and provide a Wifi hotspot at the same time.

more downtimes

Alexander Bochmann Sunday 20 of August, 2017
Ever since upgrading to OpenBSD 6.1 (and newer ports of everything), the web server seems to run out of file descriptors after some time, even though I have moved some of the older PHP applications over to a web hosting service.

Couldn't find out what that is caused by, up to now.

site's been down for over a week...

Alexander Bochmann Saturday 15 of July, 2017
...and I didn't even notice since I spent most of my online time on my Mastodon instance.

Somehow I managed to lose the p5-Time-TimeDate package on the OpenBSD web server, which in turn made vlogger fail to start up, and that resulted in all kinds of followup problems for the web service.

Unfortunately I have no memory of removing the package, so I'm not quite sure what happened there (but the date matches a day where I started moving some web sites off this server, so maybe I did some misguided cleanup)...

tedu: OpenBSD pledge doesn't work well on preexisting code

Alexander Bochmann Monday 22 of May, 2017
...he has staged a little exercise with ffmpeg to illustrate that, quite a fun read.

Also, I learned a new thing:

tedu wrote:
To find out more, we turn to ktrace’s little cousin, ltrace. It works almost exactly like ktrace (the output is even viewed with kdump), but it traces ld.so, the dynamic linker, instead of system calls.


Didn't know about ltrace up to now.

currently playing with Mastodon

Alexander Bochmann Sunday 21 of May, 2017
Mastodon is a federated microblogging platform that uses the OStatus protocol (amongst others), which allows it to talk to GNU Social / PostActiv / Friendica instances.

It's relatively easy to run your own instance, so I quickly set up one of them.

For the time being, I'm over there as @galaxis@mastodon.infra.de

Not yet sure if I'll move posting from this blog over there - probably I'll want to push posts from here into my Mastodon timeline instead. Since I'm running my own instance, it's the first service I'm relative comfortable to use via an app on my phone, so it's possible that I use the Mastodon account some more in the near future.

grsecurity discussion on the kernel-hardening list

Alexander Bochmann Thursday 11 of May, 2017
Long post by the "PaX Team" (cache) on the kernel-hardening mailinglist.

I'm generally sympathetic towards PaX and grsecurity developers, who have been developing innovative mitigations against several classes of attacks on the Linux kernel and applications over a long time - and I've personally been using their work on my own machines for ages. But really, communication is not their thing. Ok, they're in excellent company in the open source world with that, but it really harms their cause.

PaX Team wrote:
Upstream's goal is protecting as many people as possible.

the KSPP's goal is to further the agenda of the companies behind
it (which is extracting profits for shareholders). that has nothing
to do with "protecting as many people as possible" but everything
to do with business goals du jour. if what you claim was true,
they would have done it since the beginning and in a way that is
not restricted to only linux users.


(KSPP = Kernel Self Protection Project, sponsored by Google and the Linux Foundation, which tries to upstream select parts of the grsecurity patches into mainline Linux.)

slow weeks

Alexander Bochmann Wednesday 10 of May, 2017
Been on holidays, fought various IT- and real-life - problems, and set up a Mastodon instance.

Not sure if a microblogging service like Mastodon is what I'm actually looking for (I've never really warmed up to Twitter either), but it seems at least worth looking at. Or maybe I should have another go at running my own Diaspora pod (though I didn't use the last one I set up a whole lot).

I've not yet found a whole lot of interesting people, and the TrendingBot isn't much of a help, seeing as the most stable trending thing is #nsfw - I guess the porn sharing crowd is one of the early adopters again, unfortunately.

Cisco Nexus dropping commands due to old Linux kernel bug

Alexander Bochmann Tuesday 09 of May, 2017
Ivan Pepelnjak got feedback about his earlier post where he complains that Nexus OS is dropping lines from commands that are pasted into a terminal session with the system.

The drops were caused by a very old bug in Linux TTY device driver introduced in 2009, discovered in Ubuntu ~4 years ago and present in all Linux distributions with kernels between 2.6.31 and 3.11.0.

fallout of Chrome removing support for commonName matching in certificates

Alexander Bochmann Tuesday 09 of May, 2017
Some time ago, Google announced that they would only look at the subjectAltName in certificates from Chrome 58 on.

The compatibility risk for removing commonName is low. RFC 2818 has deprecated this for nearly two decades, and the baseline requirements (which all publicly trusted certificate authorities must abide by) has required the presence of a subjectAltName since 2012.


Yeah. Turns out that no one in our company had known about that, and almost all of the SSL server certificates signed by our internal CAs don't carry a subjectAltName. Which wouldn't be that bad if it meant just one more click to bypass the error message... But no, even when acknowledging the certificate problem dialog, Chromium refuses to load most of the resources from an affected server (Javascribpt, CSS files, images, and such)...