Disqus - Friends of royce

Re: Looking back at 100 blog posts

cperciva — Sat, 07 Nov 2009 08:51:03 -0000

I was counting the "(X subscribers)" UA strings when I added up my RSS feed subscribers.

Re: FreeBSD Update to 8.0-BETA1

cperciva — Mon, 19 Oct 2009 17:45:37 -0000

Yes.

Re: Looking back at 100 blog posts

cperciva — Sat, 17 Oct 2009 03:37:04 -0000

Nate,

I wasn't just thinking about you when I made that remark -- compared to some other people I've encountered, you're quite moderate in the world of crypto-is-scary-don't-go-anywhere-near-it.

In the end it comes down to weighing dangers. Yes, there is a possibility that my 'cryptographic right answers' post will give someone an unwarranted sense of confidence -- but there's also a possibility that it will lead someone to realize that they shouldn't be using blowfish for encryption; that they shouldn't use MD5 as a key derivation function; that they shouldn't use SHA256(key || data) as an MAC function; et cetera. You can't teach someone to paint by showing them examples of bad painting -- at some point it's necessary to give people good examples, too.

Thanks for stopping by.

Re: They're so cute!

cperciva — Sat, 17 Oct 2009 02:19:58 -0000

... ok, so disqus converts HTML entities into literals too? Wow that's broken.

There's a [less than sign] "blockquote" [greater than sign] in the above two comments.

Re: They're so cute!

cperciva — Sat, 17 Oct 2009 02:18:24 -0000

Err, and disqus apparently allows some HTML tags through and others not. There's a

in that comment.

Re: Looking back at 100 blog posts

cperciva — Thu, 15 Oct 2009 16:33:20 -0000

Tarsnap moved into public beta in November 2008: http://www.daemonology.net/blog/2008-11-10-tars...

Details about tarsnap are available on the tarsnap website -- if you want to know more, feel free to send me an email.

Re: Securing an HTTPS server

cperciva — Tue, 29 Sep 2009 10:09:13 -0000

Quite true. In my case I don't use source IP addresses for authentication purposes -- it's far too easy for that to break -- but it's certainly something people should be aware of.

Re: Securing an HTTPS server

cperciva — Mon, 28 Sep 2009 19:08:38 -0000

Having outbound email from web servers is good -- otherwise you can't get email from your cron jobs.

Re: Securing an HTTPS server

cperciva — Mon, 28 Sep 2009 19:07:57 -0000

192.168.0.44 is a non-routable IP address which I created on a virtual interface. The nameserver is authoritative; I haven't set up AXFR.

Re: Securing an HTTPS server

cperciva — Mon, 28 Sep 2009 09:53:45 -0000

That too. :-)

Re: Securing an HTTPS server

cperciva — Mon, 28 Sep 2009 08:20:32 -0000

There are patches for stunnel to make it insert X-Forwarded-For headers; but to do that stunnel needs to do some basic parsing of HTTP connections, which adds significant complexity -- so I'd prefer to avoid that route. You're quite right that this is an option, though.

Re: Apache memory usage bogosity

cperciva — Mon, 21 Sep 2009 05:03:45 -0000

I used /proc/X/map to look at the memory maps, and then /proc/X/mem to look at what it was being used for.

Re: Cryptographic Right Answers

cperciva — Thu, 10 Sep 2009 12:11:26 -0000

The advice about avoiding static keys is because CTR mode requires that messages encrypted with the same key must have different nonces. In most applications you can simply use nonces of 0, 1, 2, ... and keep track of the largest counter value you've used; problems only arise if (e.g., in hardware systems) you have ROM and RAM but no writable storage which persists across power outages.

Re: Complexity is insecurity

cperciva — Wed, 09 Sep 2009 18:07:30 -0000

By 'cryptologically "useless" MAC' I mean that the data in question was already being verified post-decompression, so theoretically any corruption would be found that way, but I added a MAC on the compressed data. Look for CRYPTO_KEY_HMAC_FILE in the tarsnap client source code.

The evidence I have for bugs being in rarely-executed code paths is purely anecdotal -- but it's a consistent theme I've seen in my time as FreeBSD Security Officer, both in terms of vulnerabilities in FreeBSD and vulnerabilities in other software.

No, the tarsnap server code is not public.

Re: Complexity is insecurity

cperciva — Tue, 08 Sep 2009 13:08:02 -0000

The world definitely needs a better cryptographic library; but I'm not sure that cryptlib or libtomcrypt really fit the bill -- cryptlib is commercial, and libtomcrypt doesn't seem to be maintained any more.

For tarsnap I'll probably replace openssl by implementing the cryptographic primitives myself; tarsnap only uses a very small fraction of openssl, and I've implemented almost all of the relevant functions at some point in the past.

Re: Interesting tarsnap statistics

cperciva — Sun, 06 Sep 2009 11:26:55 -0000

I don't know -- I can see how much data people have stored, and I can see how much data is stored while creating each archive; but since tarsnap avoids storing duplicate data, I have no way of knowing how much previously stored data is reused in an archive.

Re: Tweet from Tumblr We’re testing Twitter... | Tumblr Staff

roblef — Thu, 03 Sep 2009 22:20:20 -0000

Yeah, ditto here. I posted at the end of the thread before I saw these posts here. I'd love to post to a secondary tumblr blog, as well. Maybe be able to define a twitter account per tumblr blog?

Re: Hello Alaska WordPress Users!

roblef — Tue, 01 Sep 2009 01:20:32 -0000

yeah, that's the link I used before. i got all of the config files modified, i thought, and added the sql commands to the wp tables and etc. still borked it. You're welcome to try. email roblef@gmail.com and I'll set you up an ftp account and get you db privs.

Re: Forums vs Disqus vs Other

roblef — Thu, 27 Aug 2009 20:34:03 -0000

Hahaha!

We've left it this way on purpose. We're all designers and developers, too.
:)

Re: Interesting tarsnap statistics

cperciva — Wed, 26 Aug 2009 22:48:28 -0000

Nope. The tarsnap client stores a series of blocks, but the encryption makes it impossible for me to know whether a block contains several files, one file, or part of a file.

Re: Forums vs Disqus vs Other

roblef — Wed, 26 Aug 2009 21:53:02 -0000

For me, the value is having local folks in the trenches who can get together
and talk about the stuff that's on other sites and forums. I don't find the
other sites and forums to meet all my needs, and a local group usually is
more fun. For me, that is. :)

Re: Hello Alaska WordPress Users!

roblef — Wed, 26 Aug 2009 21:52:19 -0000

I guess the only value I see is a way for us to connect locally, rather than
nationally. So, basically, the same value a local user group provides,
spread to the online world.

Re: FreeBSD major version upgrades

cperciva — Wed, 26 Aug 2009 04:46:09 -0000

I can't see any reason offhand why this process *wouldn't* work for migrating a system from i386 to amd64... but I'm not sure that I'd want to try it. Let me know if you try it and find that it works, though.

Re: Hello Alaska WordPress Users!

roblef — Mon, 24 Aug 2009 22:42:23 -0000

Cool. Glad you're here. I guess we need to see how folks would like to organize. Real life meetings? Online Discussions? Forums? Membership/Fees? Dunno.

Re: Interesting tarsnap statistics

cperciva — Sun, 23 Aug 2009 15:55:14 -0000

I'm not sure exactly what you mean here -- can you elaborate?