Centroid.EU Blog

swshell.de is DNSSEC enabled now

Since yesterday swshell.de is DNSSEC enabled. I finished the zone signing utility for delphinusdnsd which is called dd-convert.rb. That utility leans on BIND tools. One day perhaps I'll make my own. I have checked with the DNSSEC debugger and everything seems to be in the green, but I have to figure out what I did first to do so and play a little with tools. Also delphinusdnsd would need a good debugging now so that it gives quality answers.

Donated to OpenBSDFoundation

I have given the OpenBSD foundation 41.81 EUR which was in my paypal account. I usually donate directly to deraadt but I wanted to rid the money I had in my paypal account so it goes to the foundation this time.

pledge(2) Don't do this!

pledge(2) in OpenBSD is a whitelist of system calls that a programmer pledges / promises his program will conform to. If they lie the kernel will kill the program. If you look at this from an attacker perspective you'll have to restrict bytecode or whatever your edge is to the pledged spectrum of syscalls.

I'll give you another example. If you have an anti-virus mechanism that scans emails or programs it may not need to talk Internet protocols and thus if someone manages to buffer overflow the scan process and have it open a socket back to the attacker aka a bindshell, pledge will stop the socket call before the kernel opens it. It's ingenious and it gets better. As you know your program you can pledge several times to restrict more and more of it over the course of the program flow.

In private conversation I offered Theo de Raadt, the principal programmer around pledge, an awk program that rudamentally scans C sources to determine a base pledge in a program. What I got back was a response I didn't expect. So I'm giving out a warning to people to NOT DO AS I had done. I still think I'm not going to be the only one who writes such a program since my gift to deraadt was not done publically.

You see in computer science you study the code, then you UNDERSTAND the code and then you can add to it. What I did was pseudo-science, since I didn't need to understand the code. Understanding is a big problem with code in general as everyone has their own style within the allowed programming idioms of C. Not understanding code means you can't contribute to it. I personally did not understand BIND code so I decided to write my own nameserver, the result was something I understood because I wrote it without wasting my time going into libraries that criss-crossed all over the source tree. However my code grew past 10,000 lines and it's easy to lose track of some areas.

My memory is not the best I think it's short span so I try to work with tools that easen this. However let's get back to science. As shown by the commits of top the programmers who pledged it not only screwed up once but twice and failed to understand top. So now we're accusing each other of pseudo-science and not understanding the code right. Let's put that away, as it's counter-productive. However I'd like to warn people of suggesting to OpenBSD what I had done. So know your code, apply pledge and stay safe.

For me pledge doesn't work as shm*(4) routines don't have a pledge keyword, so I'll have to wait. Anyone else wanting to pledge a program linked against db4 will have to do the same.

And lastly I'll say I was a bit hurt by deraadt's words, but I'm not gonna repeat them in public. I'll still stay loyal to OpenBSD despite this.

Outlook Delphinusdnsd 1.0.0 not before XMAS

I'm getting stalled with development of delphinusdnsd and distracted. I should have been coding on this yesterday to make use of my full vacation for this but I decided to soak up lazyness instead. It's ok though, there is no way I can do this in two weeks, if I do then there would be little testing if any.

AVM FritzBox Router losing ARP packets

After a 2 month long debug session with my gear I finally produced a workaround with codeblue to _fix_ the situation.

The problem: between my routers gamma and uranus (both OpenBSD) arp gets lost either on the FritzBox or a FritzRepeater from the same manufacturer (AVM).

The solution check if a threshold of arp cache timeout has been reached and populate the arpcache manually with an injected arp packet.

Here is the scripts I've written. On uranus:

#!/bin/sh

# this script checks if ARP was lost between gamma and uranus via AVM AP
# if so it will mail me and send a gratuitious arp to restore the arp cache
# on gamma it will do it twice to escape stupid filtering on AVM fritzbox.

sleep 10

CACHE=`ssh watcharp@192.168.179.1 /usr/sbin/arp -na |\
 awk '/192.168.179.10/ { a = split($4, b, "m"); print b[1];}'`

if [ $CACHE -lt 15 ]; then
        echo "cache is at $CACHE going to set arp manually" | \
        mail -s "arp timeout" emailat@centroid.eu

        /usr/local/bin/cb  -a is-at -s192.168.179.10 -d192.168.179.1
        
        sleep 20

        /usr/local/bin/cb  -a is-at -s192.168.179.10 -d192.168.179.1
        
fi

exit 0

#!/bin/sh

/usr/local/bin/cb -l re1 -a who-has -s00:0d:b9:XX:XX:XX,192.168.179.1 \
	-dff:ff:ff:ff:ff:ff,192.168.179.10  

Open Sourced CodeBlue version 1

After 14 years of having this program (mostly) for myself, I think it's worth it to Open Source it. Successes of Code Blue are

• proving a bug in someones program
• proving a bug in the OpenBSD kernel which caused a crash after a CBv1 typo
• proving that ARP packets get lost on AVM routers (recently)

MPS open sourced

Almost two years after I wrote this with help of Rienzilla I'm releasing it to the public. The sources are found here enjoy.

Oct 21, 2015 Cars that fly?

Tomorrow is back to the future day. On this day in part 2 of the trilogy Marty McFly travels to Oct 21, 2015, in essence tomorrow. Cars that fly? More like cars that lie, if you look at the VW emissions scandal. We did not get the hologram projectors nor the hoverboards. But we had something in common, cars still exist in 2015.

Thanks to Chris who gave me a ride in his deLorean one day when I was in grade 10 or 11. That really rocked! Did we timetravel?

Luna-27

I'm thrilled that Europe wants to put personell on the moon.

Upgraded supercluster

Along with every other host on my network I have upgraded supercluster. If you see any breakage let me know. I'll fix it.