Meetings Are Mutexes

Posted on 2013-03-24 by jcs

From Vivek Haldar, an absolutely wonderful characterization of meetings.

Posted in General | Leave a comment

What to Do About the Worst Law

Posted on 2013-03-23 by jcs

Over at the New Yorker, Tim Wu writes about Fixing the Worst Law in Technology. That law is, of course, the Computer Fraud and Abuse Act. CFAA was the vehicle that federal prosecutors used to threaten Aaron Swartz with decades in prison and millions of dollars in fines for what, at the end of the day, was violating JSTOR’s terms of service. Those threats are widely believed to have precipitated Swartz’s suicide but far from being chastened, prosecutors are busy charging others with similar trivial violations carrying equally severe penalties.

None of this is news to the informed geek and certainly the Irreal readership is aware of the issues. What’s significant about the New Yorker article is that it’s in the New Yorker. The magazine is hardly a hotbed of technology news and not a place where one would expect to find a large contingent of geeks hanging out. It is, in short, as mainstream as a magazine can be. Thus, it’s significant that they are covering this issue and bringing it to the attention of people who might never have heard of it otherwise.

The article is sympathetic to the movement to get the CFAA changed and unlike many publications—mainstream and technical—gets the facts of the Swartz case correct. Still, Wu is pessimistic about Congress making any meaningful changes, Zoe Lofgren’s bill notwithstanding. He believes that the best hope for change is that President Obama will reform it administratively. Not that encouraging but at least the word is getting out beyond the technical community.

The article is well written and worth a read if only because it won’t tell you that Swartz “hacked” into some site and stole a bunch of papers. Go on over and take a look.

Posted in General | Leave a comment

Emacs Rocks! 14

Posted on 2013-03-22 by jcs

At last! Magnar Sveen has just posted Episode 14 of Emacs Rocks!. This time it’s about paredit, an extremely useful but often confusing minor mode for dealing with S-expressions. Like Sveen, I also had a hard time getting used to paredit but once you figure it out you won’t want to live without it.

Sveen makes a helpful observation: paredit is not about adding and deleting text; it’s about manipulating the tree that constitutes a Lisp program. It tries to maintain a valid tree at all times. I found that the key to making things work—as detailed in the above linked post from my old blog—is understanding slurpage and barfage.

Sveen covers that as well as several other really useful tricks. As usual, the video is short (3 minutes 39 seconds) but packed incredibly densely with information. Get over there and watch it.

Posted in Programming | Tagged | 1 Comment

An Emacs Crash Course

Posted on 2013-03-21 by jcs

Andrey Kotlarski has posted a very nice Emacs Guide on github. He says he wrote it for his coworkers after he got tired of being asked to give introductions to Emacs. It’s the perfect guide for someone who wants to get a feeling for Emacs, its capabilities, and how it works.

The guide is divided into 8 sections:

  1. Introduction
  2. Practical essentials
  3. General tips and tricks
  4. Programming tips and tricks
  5. Documentation
  6. Random
  7. Emacs for black belts
  8. Where to go next?

Even if you’re an experienced Emacs user, the guide is worth a read; you may learn something you didn’t know. For example, you can get information on “interesting” files in a directory under version control with 【Ctrl+x v ddirectory-name. The guide also points out some useful packages such as undo-tree and wgrep.

Additionally, the guide covers Org mode. It is, itself, written in Org mode and exported to HTML. The finished product is a nice illustration of how good an exported Org document can look. You can see how it was formatted by looking at its Org mode source. Definitely worth a read and handy to have around for those times when you have an opportunity to evangelize.

Posted in General | Tagged | 1 Comment

Hashing Passwords: An Object Lesson

Posted on 2013-03-20 by jcs

Irreal regulars know that I periodically go off an a rant about the proper hashing of passwords and the dire consequences of failing to do it correctly. Not even I, however, could have imagined that Cisco would get it wrong. And not just a little wrong but massively and totally wrong.

In fairness, I should say up front that Cisco has acknowledged the problem and issued a bulletin on how to detect if a given piece of equipment is affected and how to deal with the problem if so. Also, Cisco is saying that the problem is an implementation, not a design issue.

With the Cisco IOS 15 codebase, a new type of password—Password Type 4—was introduced. Apparently, the design called for this to be a SHA256-based PBKDF2 hash with an 80-bit salt and 1000 iterations. The idea was to replace the weaker Password Type 5, which is an MD5-based hash that was salted and repeated 1000 times. That makes sense but unfortunately the implementation merely hashed the unsalted password with SHA256 one time. The result is a password that is easily broken as demonstrated by Philipp Schmidt and Jens Steube.

It’s hard to understand how this sort of thing could get by QA. Any time you change a cryptographic primitive it is, or should be, a big deal that requires careful scrutiny and testing. If, indeed, the design called for PBKDF2 hashing, it’s hard to see why the developer would use a single pass of SHA256 instead and how that error could get by any serious code review. If the design didn’t call for PBKDF2, it’s equally hard to understand why any developer with even a modicum of security awareness would not raise an alarm. This is not new stuff. The ideas have been around for a long time. Even the original Unix DES-based password hash from the 70s used multiple iterations and a salt.

The lesson is clear. Unless you, too, want to be the object of near universal derision (and probably fired) use one of the accepted methods for safely storing passwords. Don’t just encrypt them, don’t just run them through a single pass of some hash, and for goodness sake don’t store them in plain text.

Posted in General | Tagged | Leave a comment

A Talk on Lisp Machines

Posted on 2013-03-19 by jcs

Over at LoperOS they’ve put up a video of a talk that Kalman Reti gave last year at the Boston Lisp Meeting. The talk is about the Symbolics Lisp Machines and includes a demo of the original software running in an emulator on a modern laptop. Reti was a developer at Symbolics and is very familiar with the machines and their history.

As the talk makes clear, it’s incredible how advanced those machines were for their time. In the 1980s they had several features that we consider standard today but that existed virtually nowhere else at the time. The systems came with bitmapped displays, a three button mouse, compilers for several languages, a windowing system, and an advanced file system.

I found the history very interesting but the real treat was the demonstrations. If you forget about the monochromatic display and old style window decorations you might think you were watching a modern demonstration of some advanced Emacs debugging session. If, after watching the video, you’d like to try the emulator yourself, there’s some information about it on the CLiki, including information on how to get the software and set up the emulator.

The talk is about an hour and a quarter so you’ll need to block out some time but I found it well worth the investment.

Posted in General | Tagged | Leave a comment

Analysis of the Gauss Malware

Posted on 2013-03-18 by jcs

Over at Ars Technica Dan Goodin has a nice article analyzing the Gauss malware. Gauss appears to be related to Stuxnet and internal code signatures suggest that its provenance is the same1. Although Gauss was discovered last year, very little is known about its purpose or capabilities.

That’s because its payload—or more accurately, its warhead—is encrypted. Gauss appears to be looking for computers used for a specific application. It concatenates PATH and program directory names, adds a salt and hashes the results. If the resulting (key stretched) hash matches a compiled-in constant, Gauss has found the program it’s looking for. Then it hashes the same PATH and program name with a new salt and uses the result as a key to unencrypt the payload. Despite significant and sustained effort, researchers have not been able to find the key and thus have no idea what the payload is intended to do.

Goodin’s article is interesting and informative. If you have an interest in security, or just want to see how someone might go about protecting a piece of software from prying eyes, you’ll enjoy it.

Footnotes:

1 Said to be the United States and Israel.

Posted in General | Tagged | Leave a comment

Tilting At Windmills

Posted on 2013-03-17 by jcs

If you enjoy charging windmills and otherwise taking on semi-hopeless causes, you might consider signing the petition to save Google Reader. So far there have been over 100,000 signers. In all honesty, it probably won’t do much good but at least your voice will be heard and perhaps Google will come to understand, if only vaguely, what happens when they lose the trust of the so called “influencers” on the Internet.

Posted in General | 5 Comments

Secure Communications Apps

Posted on 2013-03-16 by jcs

Over at A Few Thoughts on Cryptographic Engineering, Matthew Green has a useful review of some secure communications apps. He looks at

  • Cryptocat
  • Silent Circle
  • RedPhone
  • Wickr

from the standpoint of code quality, encryption protocols, and ease of use.

Interestingly, Green examines the apps from the point of view of “should I use this application to fight an oppressive regime?” It’s not a frivolous question. Citizens fighting and journalists covering those oppressive regimes need to communicate and if their communications are not secure, their lives and the lives of others could be at risk. It also explains his emphasis on ease of use. Most revolutionists and journalists are not technically sophisticated and are especially prone to using crypto applications in a non-secure way.

If you’re looking for a way to keep your communications private—even if you’re not trying to overthrow a government—you should take a look at Green’s post. In addition to providing a review of some of the leading applications in the field, it shows you what sort of things to look for and what sort of questions to ask.

If you like his post, you might also enjoy this video of Green delivering a talk on the current state of cryptography. If you depend on cryptography in your day-to-day activities you will doubtless find it enlightening (and disturbing).

Posted in General | Tagged | Leave a comment

Git-Gutter

Posted on 2013-03-15 by jcs

If you liked the functionality I described in vc-annotate, you might also like Syohei Yoshida’s git-gutter. It’s a port to Emacs of the Sublime Text plugin of the same name. The idea is that it marks changes to your files in the fringe so that you can see at a glance how the file is evolving. As the same suggests, it works only with git.

There are a lot of options that determine how the changes are marked so if you want fancy symbols instead of the traditional + or -, you can have them. Of course, you don’t get as much information as vc-annotate gives you but you can see what parts of the file have changed (and how) anytime you have git-gutter toggled on. In that sense, it seems like a nice adjunct to vc-annotate. There are screen shots at the link so you can get a sense of what it looks like in action.

Posted in General | Tagged | 2 Comments