Saved from Visa

I’ve written before about the Fraudster’s Friend misleadingly named “Verified by Visa”.  Most directly in my post Phished by Visa, though Bullied by Visa perhaps also deserves a mention.

Today I went to place an order with Argos, who I’ve used several times before and who have always – in contrast to some of their competitors – delivered very efficiently.  This time alas the shopping process has become significantly more hassle, and they’ve introduce the VBV cuckoo into the process.  But I was pleased to note that, when I came to the VBV attack, Firefox flagged it up as precisely what it is: an XSS attack, and in the context of secure data (as in creditcard numbers) a serious security issue.

I hope Firefox does that by default, rather than just with my settings.  Though it would be courageous, to take the blame from the unwashed masses who might think VBV serves their interests when it doesn’t work.  Doing the Right Thing against an enemy with ignorance on its side has a very bad history in web browsers, as Microsoft in the late 1990s killed off the opposition by exposing their users to a whole family of “viruses” in a move designed to make correct behaviour a loser in the market (specifically, violation of MIME standards documented since 1992 as security-critical).

Alas, while Firefox saved me from the evil phishing attack, the combination of that and other Argos website trouble pushed me to a thoroughly insecure and less than convenient medium: the telephone.  Bah, Humbug.

Mac vs Open Source

I develop software.

The kind of software I work on rarely concerns itself with details of the platforms it runs on, and is therefore inherently platform-neutral.  Of course complete cross-platform compatibility is elusive, but one does one’s best to adhere to widely-supported standards, libraries known to be cross-platform, etc.  And if something non-standard is unavoidable, try to package it so that switching it out will be clean and straightforward as and when someone has the need.

So it’s with some concern that I see the Mac platform apparently moving to distance itself from the open source world I inhabit.  I’ve got used to the idea that I sometimes have to use clang instead of gcc, and that that gives rise to annoying gotchas when autoconf stuff picks up gcc/g++ in spite of the standard names cc, c++ et al all being the clang versions!  Still, I guess it’s not the platform’s fault if
CC=cc CXX=c++ ./configure –options
behaves inconsistently.

Now it’s OpenSSL that’s been giving me grief.  Working with it on Mac for the first time, I see all the OpenSSL APIs I’m using appear to be deprecated.  Huh?  Googling finds that the whole of OpenSSL is deprecated on Mac.  Thou shalt use CC_crypto(3cc) instead!  Damn!!

OK, what’s CC_crypto?  Given that lots of software I work on uses OpenSSL, it’s only going to be of interest if it emulates OpenSSL (well, if for example it was an OpenSSL fork then that would be a reasonable expectation).  There’s a CC_crypto manpage, and google finds similar information at Apple’s developer site, but therein lies nothing more enlightening than cryptic hints:

To use the digest functions with existing code which uses the corresponding openssl functions, #define the symbol COMMON_DIGEST_FOR_OPENSSL in your client code (BEFORE including <CommonCrypto/CommonDigest.h>).

and

The interfaces to the encryption and HMAC algorithms have a calling interface that is different from that provided by OpenSSL.

Well, if that means it’s mostly OpenSSL-dropin-compatible, why not say so?  Even googling “CC_crypto openssl emulation” doesn’t turn up anything that looks promising, so I haven’t found any relevant documentation.  And since the header files are different, it will at the very least require some preprocessor crap.  OK, ignore it, stick to OpenSSL, kill off the -Werror compiler option, and maybe revisit the issue at some later date.

Not good enough.  The build bombs out when something (not my code, and I’d rather not have to hack it) uses HMAC functions, whose signature on Mac is different to other platforms.  So openssl on Mac – specifically /usr/include/openssl/hmac.h – is nonstandard!  Grrr …  In fact it appears to be some bastardised hybrid: OpenSSL function names with CCHmac-like declarations.  Is this OpenSSL in fact a wrapper for CC_crypto?  If so, why is it all deprecated?  Or if not, who has mutilated the API?

Well OK, that’ll be what Homebrew was talking about when it flashed up some message about installing OpenSSL only under Cellar, and not as a standard/system-wide lib.  So I have another OpenSSL.  Perhaps more?  locate hmac.h finds a whole bunch of versions (ignoring duplicates and glib’s ghmac.h):

/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.7.sdk/usr/include/openssl/hmac.h
/private/var/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.7.sdk/usr/include/openssl/hmac.h
/usr/include/openssl/hmac.h
/usr/local/Cellar/openssl/1.0.2/include/openssl/hmac.h

Of those, only the Cellar version is compatible with the canonical OpenSSL.  A –with-openssl configure option fixes my immediate problem, but throws up a bunch of questions:

• Why have I had to jump through these hoops?
• Where would I start if I want to use CC_crypto as advised in existing OpenSSL-using code?
• What do I need to keep up-to-date on my system?  Presumably standard apps use the version in /usr , but is anything keeping that updated if homebrew isn’t touching it?

Dammit, looks like this Mac may be vulnerable!  Everything in /usr/include/openssl is dated 2011 (when the macbook was new).  The libssl in /usr/lib is dated September 2014 – which suggests it has been updated by some package manager.  But it identifies itself as libssl.0.9.8, which is not exactly current.  Maybe it’s a Good Thing the macbook’s wifi died, so it no longer travels with me outside the house.

WTF is Apple doing to us?

Roots

I recently visited my father for a few days.

That doesn’t mean I revisited a childhood house, or even town: neither he nor I has done that for many years.  But one thing somehow took me back: hearing the cooing of pigeons outside.  That’s not even a very nice sound: it can be quite infuriating when it goes on incessantly, and I have some recollections of them being an annoying pest.  Yet that sound gave me a faintly Proustian nostalgia.  Followed of course by the realisation that there aren’t any around here, and faintly wondering why not: it can’t be just the neighbourhood cats!

During my visit I went to an event in London, and stayed on for a concert in the evening.  It was the RPO, at the Royal Festival Hall.  I got a great seat, and thoroughly enjoyed it.  But a little more than that: the orchestral sound was somehow ultimately “right”: the canonical orchestral sound.  What I was actually hearing (apart from a fine orchestra playing great music) was the Festival Hall’s acoustic, and I think that “rightness” must’ve been because that’s where I first ever heard an orchestra when my parents took me to see The Nutcracker there as a small child!

Hmmm ….