Centroid.EU Blog

(this blog is mostly encrypted - adults only)
  

Previous Page


OpenBSD Donation Time

November 19th, 2016

Part 2/2 of this year, I have donated 100 EUR to Theo de Raadt. This wraps up my donations to all *BSD's this year. BTW the donation meter at OpenBSD foundation is almost filled to the goal. Congrats OpenBSD!

0 comments

A real exciting Idea

November 10th, 2016

Yesterday I was brainstorming how to "sign" binaries in OpenBSD, and I caught an itch. I don't know if I'll ever do this but I've given it thoughts since yesterday. First though I want to show you this, here. I'm not the only person that thinks a signed binary in OpenBSD would be a good idea. So then I thought about how to do this a little.

In the kernel the exec routines for reading an ELF binary would have to be modified in the following way. It reads the ELF program header table and expects a PT_OPENBSD_ELFSEC program header identification. By reading in the entire binary upon exec, given that the user is not root (a suser check) and caching shows no binary behing checked before (a walk of a LIST), the kernel HMAC checksums the binary with a key that was ioctl'ed into the kernel at boottime under securelevel 0, in fact this check is only done if the securelevel is > 0. It then compares the section of PT_OPENBSD_ELFSEC and it it matches it discards the read file, and lets read-on-demand take over for the file. It is running a genuinely "signed" binary.

In userland there is 4 programs that get modified. Binutils, strip, elfsec and elfsecd. When compiling new programs the PT_OPENBSD_ELFSEC program header gets added to the ELF program headers. As root you can execute any signed binary becasue then it doesn't matter if signed or not, a hacker has all control over the system. When binaries are compiled make calls strip with a new argument which will "bless" a binary with the elfsec program when root. When a non-root user it is checked first if a user is allowed to bless binaries and then elfsec speaks with elfsecd to bless a binary with the private key that only root can read, a bunch of descriptor passing within the imsg framework would work out nicely. The elfsec binary should also be able to bless entire directories such as /bin, /sbin, /usr/bin, /usr/sbin etc.

This is the track I have wrapped my thoughts around. Dunno if it's worth it but the installer program would need to be modified to rebless new binaries in an upgrade. That would satisfy all those naysayers that say it would never work. In the end result you prevent someone else from importing binaries that you don't want runnning on your system. Perhaps a worm of sorts. It's another level of security and it would cost an attacker a lot of resources to crack the private key to each binary. It would slow down a system somewhat, but I've been using SSD's for a few years now and don't see this as much of an issue, also there is caching which should speed this up.

Hehe, thinking of vapourware can be mind consuming for sure :-).

0 comments

Government (NASA) Space Program likely to suffer under Trump

November 9th, 2016

I talked a little about the American and European space programs in the past. Now on one hand it was a GOP under Dubya Bush who wanted Moon to Mars. However Trump has other priorities. He wants to fix the potholes in America first. He makes economic sense, there is no glory when your infrastructure is failing. But we likely won't see much action until at least 2021, that's after his first term is my thought. With Obama the American Space Program suffered but Obama set something in motion that was perhaps a smart move. The private space industry, SpaceX, boeing, those sorts of private enterprises.

0 comments

Donald Trump is president of the US-elect

November 9th, 2016

I did not cheer for Hillary and I did not cheer for Trump. Americans failed to look for the alternatives. My favourite was Jill Stein, who got very little votes if any. I did not cheer for the "lesser evil" I turned my thoughts away from the Clinton-Trump pair, even though people tried to tell me I had to chose. I don't have to chose, I chose the alternative. Hopefully the Donald will not wreck too much in relations between my country and the USA. I count on the real alternative, the US Green Party.

0 comments

Arctic Fibre aquired by Quintillion Networks

November 8th, 2016

Today is the first day of snow I experienced in 2016 fall season. In 2013 I experienced the same first few days of snow in Iqaluit, Nunavut. Because I saw a connection I researched the past and found in a link that Arctic Fibre of Toronto, Canada was aquired by Quintillion Networks last june. Quintillion Networks seems to be run by people from Alaska. It reminded me how my friend in Iqaluit said that Barrow, Alaska has a lot in common with Iqaluit (I think he said that on twitter). Anyhow the Canadian part joining with the Alaskan part and stretching to the UK is probably in limbo since it's been pushed back to Phase 3. But here is hoping that Iqaluit will get terrestrial submersed fibre optic cable some day.

0 comments

First day of Snow for the Season

November 8th, 2016

Yesterday I increased the heat to #2 on my electric "nachtspeicher" furnaces. Tonight it's snowing. Stille Nacht.

0 comments

Shades can say so much!

October 31st, 2016

Made this photo a few days ago. I think it's very pretty.

Made with an iPod as I was walking down this path. Happy Autumn!

0 comments

Happy Hallowe'en!

October 31st, 2016

I got candies here! And awaiting children if any dare!

0 comments

Will Internet Surveillance in Germany decelerate our Internet?

October 21st, 2016

Germany is already behind many other countries in Europe and elsewhere (like South Korea), in terms of Internet speeds. Recently the BND was given powers (german) to surveill our Internet. I'm wondering if the surveillance will decelerate our Internet from progressing into something fit for the 21st century. South Korea is working on 10 Gbit/s speeds for everyone already. We're just at 50 Mbit/s if we're lucky. I still have 16 Mbit/s. With every speed upgrade at an ISP the BND will have to conform their spy equipment to similar standards which is a burden on the taxpayer. I fear the pandoras box has been opened.

0 comments

Delphinusdnsd name approaches 2 years old

October 20th, 2016

On November 14th, 2014 I forked delphinusdnsd from wildcarddnsd. It was a namechange to indicate a new direction in programming, namely DNSSEC. I'd like to sum up the milestones it got since then:

  • dd-convert.rb a ruby script to sign zonefiles
  • a semi decent working dnssec stack
Currently and this year I'm working on a replacement for dd-convert.rb to make the project full C source again. And I'm getting ideas to incorporate parts of dd-convert.c back into delphinusdnsd to help in things such as dynamic DNS that is fully signed. But first I gotta get this done. It's my main task for this year which had obstacles to overcome. I'm looking forward to 2017 to start new things on delphinusdnsd and improve on it, here is some hints:
  • underlying database needs to be replaced, that means goodbye berkeley db. The reason for this is that there is a bug with my implementation, not sure if it's OpenBSD related or Berkeley DB related but it appears to affect queries.
And then there is always the need to refactor some code.

0 comments

Next Page

Search

RSS Feed

Click here for RSS

On this day in

Other links

Have feedback?

By clicking on the header of an article you will be served a cookie. If you do not agree to this do not click on the header. Thanks!

Using a text-based webbrowser?

... such as lynx? Welcome back it's working again for the time being.

Older Blog Entries


Powered by BCHS