Makura no Soshi

Security & Crypto edition

• On the Juniper backdoor, Matthew Green
  And while every reasonable person knows you can’t just drop “passive decryption vulnerability” and expect the world to go on with its business, this is exactly what Juniper tried to do. Since they weren’t talking about it, it fell to software experts to try to work out what was happening by looking carefully at firmware released by the company.
• Why I don’t care that Dell installs Rogue Certificates On Laptops, Tom Limoncelli
  Every new machine should be wiped and reloaded with your organization’s “standard build”. Having a “standard build” is one of the foundational pieces of infrastructure that your organization is responsible for. It is so fundamental that not having this kind of infrastructure is negligent.
• The Moral Character of Cryptographic Work, Phillip Rogaway
  As computer scientists and cryptographers, we are twice culpable when it comes to mass surveillance: computer science created the technologies that underlie our communications infrastructure, and that are now turning it into an apparatus for surveillance and control; while cryptography contains within it the underused potential to redirect this tragic turn.
• The IPv6 Numeric IP Format is a Serious Usability Problem, Adam Ierymenko
  While the IPv6 protocol itself is fine, its original designers made some truly bizarre decisions around how to represent numeric addresses.
• How to C (as of 2016), Matt Stancliff
  The first rule of C is don’t write C if you can avoid it. If you must write in C, you should follow modern rules.
• Mozilla SSL Configuration Generator
  The goal of this document is to help operational teams with the configuration of TLS on servers.

A few good articles on cloud development and operations.

• Sort out deployment first, Lars Wirzenius
  It is tempting to start a new project with the interesting bits, but it’s often a mistake. One of the first steps in a new project should be to sort out deployment: getting the software installed and configured so it can be used.
• 5 AWS mistakes you should avoid, Michael Wittig
  Useful to evaluate your own AWS web application.
• 12 Fractured Apps, Kelsey Hightower
  Once Docker hit the scene the benefits of the 12 Factor App (12FA) really started to shine. […] Unfortunately legacy applications, including the soon-to-be-legacy application you are working on right now, have many shortcomings, especially around the startup process.
• Moving a team from Scala to Golang, Jim Plush
  You can jump into any Go project and know immediately what it’s doing. Do I miss immutable types and some of the great features of Scala? Sure do, but I think the maintainability side of the story is too great to overlook with Go.
• Ansible 2.0 Has Arrived
  After a year of work, we are extremely proud to announce that Ansible 2.0 (“Over the Hills and Far Away”) has been released and is now generally available. This looks like a big step forward. Finally Ansible gets a usable parsing/error reporting and with the new execution strategies you no longer have to update all hosts in lockstep.
• What’s in a Name?, Geoff Huston (ISP Column Dec 2015)
  What’s the difference between .local and .here? Or between .onion and .apple?

Just did some housekeeping of my server I want to document.

Most importantly I got myself a Let’s Encrypt TLS certificate for this blog (and my mailserver), so you no longer have to deal with my self-signed cert to use HTTPS. There has been some discussion about their official client tool, but for a first release it does not seem to be too bad; at least it is written in Python and not in Java or Scala etc. The ACME protocol itself looks sensible and I look forward to more lightweight implementations in the future.

Having a public CA also gave me the opportunity to add an HTTP Strict Transport Security header. Now the next step would be HTTP Public Key Pinning, but that is still out of range for a non-professional website; because Let’s Encrypt may still change their intermediary CA certificate and I also do not have a backup CA that I could use in case of a problem. (BTW, nice HPKP advice on the Let’s Encrypt community site.)

Somewhat related I also expired my old 1024 bit PGP key from  as well as the PGP key of my former work address at DECK36. (BTW, here is a nice description how-to edit gpg key expiration dates by George Notaras.) In order to reach me securely please use my current PGP key (0x4dc5e2280a327754, also on my Contact page).

• Resist and Thrive, Yancey Strickler
• An Office for Introverts, Olga Khazan at The Atlantic
• Why the 2016 Election Will Be One of the Most Pivotal Moments of Our Time, Sean Wilentz at RollingStone
• Jury Duty, Anonymous
• Why is Steam so insistent on security?, on Information Security StackExchange
• Table of system latencies, via @azeem

One personal goal this winter is to do more programming in beautiful languages.

At this moment I am quite excited about Python 3, Perl 6, and Go. Read the rest of this entry »

Train Rides

The day before: “Oh great, several hours on my own. I will pack books and I am gonna get so much reading and writing done.”
On the train: “Argh, I am tired, and it is too loud, I cannot concentrate on anything.”
The day after: “Where went all that time? What did I do?”

Hotel Wi-Fi

The day before: “There will probably be some kind of Wi-Fi available. It is 2014 and it has to be better now than it was the last time.”
On site, after a painful experience including ridiculous prices and/or asking for silly access codes, counting it a success if there is decent signal strength (even without reasonable bandwidth) in the lobby: “Thank god for my smartphone data plan.”

Conferences

9am: “I wonder why they keep so many snacks and cake arround. I just had breakfast and I am fine till lunch.”
After 2-3h of talks or a workshop: “Hunger! I want sugar… and caffeine… and then some more sugar!”

After I could not make it last year I was glad to come back to Chemnitz for this years Linux-Tage.

This time I did not have any talk and did not sign up for the BSD booth. So I had more time and attended more talks than usual and the (possibly subjective) impression that talks were better than in previous years. The only (small) drawback of success: with ever more guests everything becomes more crowded.

One particularly interesting presentation was the one on structured logging by Jens Kühnel. — That is more or less the long overdue follow-up for my very old talk on Syslog (pdf).

I have been quite lazy with my PGP key. At some time I even removed its expiration date, because I was too busy to generate a new one. But lazy or not… a key of 1024 bits has to be considered legacy now, furthermore it is time to remove my different university addresses.

So this years resolution is to switch to a new key — which is now online on my contact page and public keyserver. (The old one is also online and still usable for some time).