Traffic Server Summit (by ‘net)

I spent two days last week at the trafficserver summit.

Or rather, two evenings.  The summit was held in Silicon Valley (hosted by linkedin), while I remained at home in Blighty with a conferencing link, making me one of several remote attendees.  With an 8 hour time difference, each day started at 5pm and went on into the wee hours.  On the first day (Tuesday) this followed a day of regular work.  On the Wednesday I took a more sensible approach and the only work I did before the summit was a bit of gardening.  Despite that I felt more tired on the Wednesday.

The conferencing link was a decent enough instance of its kind, with regular video alongside screen sharing and text (though IRC does a better job with text).  The video was pointed at the speakers as they presented, and the screen sharing was used to share their presentations.  That was good enough to follow the presentations pretty well: indeed, sometimes better than being there, as I could read all the intricate slides and screens that would’ve been just a blur if I’d been present in the room.

Unfortunately most of the presentations involved discussion around the room, and that was much harder, sometimes impossible, to follow.  Also, speaking was not a good experience: I heard my voice some time after I’d spoken, and it sounded ghastly and indistinct, so I muted my microphone.  That was using just the builtin mike in the macbook.  I tried later with a proper headset when I had something to contribute, but alas it seems by then I (and I think all remote attendees, after the initial difficulties) was muted by the system.  So I had something approximating to read-only access.  And of course missed out on the social aspects of the event away from the presentations.

In terms of the mechanics of running an event like this, I think in retrospect we could make some modest improvements.  We had good two-way communication over IRC, and that might be better-harnessed.  Maybe rather than ad-hoc intervention, someone present (a session chair?) could act as designated proxy for remote attendees, and keep an eye on IRC for anyone looking to contribute to discussion.  Having such a person would probably have prompted me into action on a few occasions when I had a comment, question or suggestion.  Or perhaps better, IRC could be projected onto a second screen in the room, alongside the presenter’s materials.

The speakers and contents were well worth the limitations and antisocial hours of attending.  I found a high proportion of the material interesting, informative, and well-presented.  Alan, who probably knows more than anyone about Trafficserver internals, spoke at length on a range of topics.  The duo of Brian and Bryan (no, not a comedy act) talked about debugging and led discussion on test frameworks.

Other speakers addressed applications and APIs, and deployments, ops and tools.  A session I found unexpectedly interesting was Susan on the subject of how, in integrating sophisticated SSL capabilities in a module, she’s been working with Alan to extend the API to meet her needs.  It’s an approach from which I might just benefit, and I also need to take a look at whether Ironbee adequately captures all potentially-useful information available from SSL.

At the end I also made (via IRC) one suggestion for a session for the next summit: API review.  There’s a lot that’s implemented in Trafficserver core and utils that could usefully be made available to plugins via the API, even just by installing existing header files to a public includes directory.  Obviously that requires some control over what is intended to be public, and a stability deal over exported APIs.  I have some thoughts over how to deal with those, but I think that’s a subject for the wiki rather than a blog post.  One little plea for now: let’s not get hung up on what’s in C vs C++.  Accept that exported headers might be either, and let application developers deal with it.  If anyone then feels compelled to write a ‘clean’ wrapper, welcome their contribution!

 

To phish, or not to phish?

I recently had email telling me my password for $company VPN is due to expire, and directing me to a URL to update it.

Legitimate or phishing?  Let’s examine it.

It follows the exact form of similar legitimate emails I’ve had before.  Password expires in 14 days.  Daily updates decrementing the day count until I change it.  So far so good.

However, it’s directing me to an unfamiliar URL: https://$company.okta.com/.   Big red flag!  But $company outsources a range of admin functions in this manner, so it’s entirely plausible.

It appears to come from a legitimate source.  But since all $company email is outsourced to gmail, the information I can glean from the headers is limited.  How much trust can I place in gmail’s SPF telling me the sender is valid?

A look on $company’s intranet fails to find anything relevant (though in the absence of a search function I probably wouldn’t find it anyway without a truly gruelling trawl).  OK, let’s google for evidence of a legitimate connection between $company and okta.com.  I’ve resolved similar problems to my own satisfaction that way before both for $company and other such situations (e.g. here or here), but the hurdle for a $company-VPN password – even one I’m about to change – has to be high.

Googling finds me only inconclusive evidence.  There’s a linkedin page for $company’s sysop, only it turns out he’s moved on and the linkedin page is just listing both $company and okta skills in his CV.  There’s a PDF at $company’s website with instructions for setting up some okta product (though it’s one of those that insults you with big cuddly pictures of selecting a series of menu options without actually saying anything non-obvious).

Hmmm …

OK, maybe I can get okta.com to prove itself, with the kind of security question your bank asks when you ‘phone it.  Let’s use okta’s “Password Reset”.  I expect it’ll send a one-off token I can use to set a new password.  If legit, that’ll work; if not then the newly-minted password is worthless and I just abandon it.  But no such thing: instead of sending me such a token, it tells (emails) me:

Your Okta account is configured to use the same password you currently use for logging in to your organization’s Windows network. Use your Windows account password to sign in to Okta. Please use the password reset function in Windows to reset your password.

Well, b***er that.  Windows account password?  Windows network?  I have no such thing, and neither does $company expect me to.  I expect $company may have a few windows boxes, but they’re certainly not the norm.  No doubt it just means the LDAP password I’m supposed to be changing, but if I know that then why should I be asking it for password reset?  Bah, Humbug!

One more thing to try before a humiliating request for help over something I should be able to deal with myself.  Somewhere in my gmail I can dig up previous password reset reminders, with a URL somewhere on $company’s own intranet.  Try that URL.  Yes, it still works, and I can reset my VPN password there.  All that investigation for … what?

Well, there’s a value to it.  Namely the acid test: does the daily password reminder stop after I’ve reset the password?  If it’s genuine then it shares information with $intranet and knows I’ve reset my password.  If it’s a phish then it knows nothing.  So now I’m getting some real evidence: if the password reminders stop then it’s genuine.

They do stop.  So I conclude it is indeed genuine.

Unless it’s so ultra-sophisticated that it’s been warned off by my having visited the site and used password reset, albeit unsuccessfully.  Waiting to try again in a few months?  Hmmm ….

Well, if $company hasn’t outsourced it then the intranet-based password reset will continue to work next time.  If it doesn’t work next time then there’s one more piece of evidence it’s genuine.

Sexist flagbearers hypocrisy revealed

This evening, the BBC broadcast the results of a short story prize.  I heard some of the stories as they broadcast them last week, and they were indeed good.  I missed the broadcast of the winning story, but I daresay it was well-deserving of its award.

Being the BBC, they didn’t just broadcast the stories and the award ceremony.  They also broadcast a lot of discussion: of the award, the shortlisted candidates, the stories, of the short story form, of what works well with the form, authors and critics anecdotes, etc.

Never once in all that discussion did anyone remark on the fact that it was an all-female shortlist.  Why should they?  There’s nothing remarkable about it: it’s entirely reasonable (and in the long term statistically inevitable) that a fair and impartial shortlist should, from time to time, be all female.

— However —

This is the same BBC who, a couple of years ago, found itself with an all-male shortlist for another award.  I don’t recollect the award itself, just the huge fuss they made of the absence of women on the shortlist.  This is a huge misogynistic scandal, unacceptable sexism.  How was this allowed to happen?  Do heads need to roll?  This must never be allowed to happen again!

Googling suggests the award in question was probably their “sports personality of the year” (for 2011), which would explain why I had no interest in the award itself and heard only the fuss.  The mindless, blatantly sexist fuss, that is now revealed in the full glory of its hypocrisy by the contrast with today’s very civilised short story award.

Forever war

Once again, we’re going to war against an ill-defined enemy.  But this time it’s clear: this is the enemy’s own agenda, and our Headless Chickens are merrily dancing to “Jihadi John”‘s tune.  As ever, we’ll take a bad situation and make it vastly worse.

When it’s demagogues like Galloway and Farage consistently talking the most sense on the subject of policy towards the world’s trouble spots, one can but shake the head and redouble one’s efforts to reduce complicity.

Oh, erm, and am I the only one to see the irony in all the Islamic State horror coming in this centenary year of 1914, as we look back at “Germans eat your babies”?

Defending against shell shock

I started writing a longer post about the so-called shell shock, with analysis of what makes a web server vulnerable or secure.  Or, strictly speaking, not a webserver, but a platform an attacker might access through a web server.  But I’m not sure when I’ll find time to do justice to that, so here’s the short announcement:

I’ve updated mod_taint to offer an ultra-simple defence against the risk of shell shock attacks coming through Apache HTTPD, versions 2.2 or later.  A new simplified configuration option is provided specifically for this problem:

    LoadModule taint_module modules/mod_taint.so
    Untaint shellshock

mod_taint source and documentation are at http://people.apache.org/~niq/mod_taint.c and http://people.apache.org/~niq/mod_taint.html respectively.

Here’s some detail from what I posted earlier to the Apache mailinglists:

Untaint works in a directory context, so can be selectively enabled for potentially-vulnerable apps such as those involving CGI, SSI, ExtFilter, or (other) scripts.

This goes through all Request headers, any PATH_INFO and QUERY_STRING, and (just to be paranoid) any other subprocess environment variables. It untaints them against a regexp that checks for “()” at the beginning of a variable, and returns an HTTP 400 error (Bad Request) if found.

Feedback welcome, indeed solicited. I believe this is a simple but sensible approach to protecting potentially-vulnerable systems, but I’m open to contrary views. The exact details, including the shellshock regexp itself, could probably use some refinement. And of course, bug reports!

Faintheart

Wee, sleekit, cow’rin, tim’rous beastie,
O, what a panic’s in thy breastie!

What a letdown, Jock.  Your poet must be spinning in his grave.

Carry On up the Union

Today the Scottish referendum debate has turned to pure comedy, as the preserve-the-status-quo political and media Establishment turn to blind panic and run about like headless chickens. All the Westminster leaders are belatedly running off to campaign, and stressing that You can vote No, because No will mean Yes in all but name. Though each party still seems to have its own flavour of NoMeansYes, so that’ll be another confused and horrible compromise agreement to thrash out, or alternatively no agreement and kick the issue into the long grass (and try to blame the Scots Nats).  They’ve even dragged the Royal Family in, with a well-crafted Denial that the Queen might plead for the Union, and a big Feelgood announcement from her grandson and his missus.

As I’ve said before, our constitution since Blair is hopelessly broken.  Disappointingly, none of his successors at Westminster show any inclination to fix it, so the only proposal on the table is Scottish independence.  That will leave both parties with some interesting problems, but I think much more political will to deal with them than has hitherto been in evidence.

There are of course some glaring problems in the Scots Nats programme.  I don’t think that’s actually a problem: a Yes vote is just the start of a process of negotiation in which everyone can drop their sillier and more outlandish ideas in pursuit of a mutually-acceptable agreement.  Unlike a No vote, which just gives the headless chickens a mandate to sink straight back into complacency.

Now it’s Jocks’ Choice.  Say Yes to independence, force the issue, end the bad marriage, and let’s be good friends, just as we are with other neighbours such as the Dutch or the Irish.  Endure short-term pain – for there will surely be quite a hiatus and disruption on both sides – for long-term gain.  Or say No, succumb to the bullying of the political class, and condemn us all to another generation of brokenness.

A tea party in Boston and Skegness

A junior minister quits the government.

He takes a job in London while his family live elsewhere: what does he expect?  Did he not realise the job was in London?  OK, lots of people have to do that kind of thing, but in his case there’s a real difference: as a member of the legislature, his job is supposed to be about improving the way things work.  He could see the problem, he suffered from it himself: did he never think to DO ANYTHING ABOUT IT?  At least, use his position as a platform from which to campaign, even if he can’t persuade the government to do anything.

As reported, he seems to be saying that being an MP is incompatible with his family life.  WRONG: being an MP is just incompatible with NOT being a Londoner.  If you’re not a native Londoner, you become a adoptive one by taking the effing job.

That’s why those of us out in the sticks are constitutionally excluded from representation in parliament.  There can’t be many who are such complete idiots as to stand for parliament without wanting to live in London, or at the very least being indifferent to it.  This man with family in Lincolnshire probably represents the place better than anyone qualified to be an MP.  Or would have done, if only he hadn’t so totally wasted his opportunity to put our democratic deficitvoid onto the political agenda.

What a total idiot!

The other reshuffle

Baroness Warsi resigns over a matter of principle. Good to know there’s still a government minister not entirely without principles.  Oh .. erm .. hang on ….

But what took her so long?  It’s not as if Gaza is the first foreign problem in which our government has behaved disgracefully on her watch.  It’s not even as if this was one of the conflicts for which we bear the most substantial responsibility – at least not in our times. Not like those heavily provoked in the first place by western agents provocateurs (like Syria or Ukraine), or the legacy of actual military action (like Libya). Maybe she protests her principles just a tad too much?

How will history view her?  I guess precedents like Robin Cook show that a resignation can do a lot to redeem a reputation, even if it comes long after your hands are covered in blood.

Symbiosis

The blackberry season is firmly upon us. Indeed, it’s come exceptionally early: I’ve been getting some good pickings for two weeks in the garden.

In the wild, brambles tend to live alongside nettles. In my garden there are no nettles, but in their accustomed place is is ivy climbing anything that’ll support it, including some of the brambles. It’s got some rather attractive white flowers right now!

As a gardener, the ivy can be a pain: if I try to trim the brambles (or other plants the ivy climbs) back I have two intertwined things to deal with, and they need very different treatment. But for picking the blackberries, I discovered today a bit of ivy can be a huge advantage. Something soft and thorn-free I can grab to pull the thorny bits out of the way and give comfortable access to the berries!

Luxury!

Follow

Get every new post delivered to your Inbox.

Join 39 other followers