You are viewing siderea

Tue, Apr. 15th, 2014, 08:53 pm
[psych, MA] "King of the Whirras"?

MIT AG peeps: is there anyone in the house who can either point me to a canonical version of "The King of the Whirras" story, or who can tell it? I may be misspelling "whirras". This is from IIRC a game in 1988 (just before my time). Ideally a version which does not name the player it happened to (or really anybody in it).

This keeps coming up -- it is one of the most epic examples of a particular kind of logical mistake -- but I am weak on the details and haven't heard it in 25 years.

Mon, Apr. 14th, 2014, 02:37 pm
[tech, nas] Other people's bugs, II: cron job running twice?

Now that I've got /etc/cron.daily/apachelogrotate slightly more debugged, I've discovered new, interesting issues.

For one thing, sometimes it tries to delete (rm) a file that it just learned about by ls, but by the time (several microseconds, presumably) that it gets around to trying to delete it, it's already gone.

Which suggests a race condition with something. Something running at the same time is deleting files that it's working with. What could that be?

Well, since adding the line echo "Running apachelogrotate! `date`" to the top of apachelogrotate...
sidereasnas:~# more dead.letter


/etc/cron.daily/apachelogrotate:
Running apachelogrotate! Mon Apr 14 06:25:01 EDT 2014


/bin/sh: root: not found
/etc/cron.daily/apachelogrotate:
Running apachelogrotate! Mon Apr 14 06:25:01 EDT 2014
[...other bugs cut for length...]
sidereasnas:~# 
Oh, hell: somehow apachelogrotate is getting called twice. At the same time. The log files have long lines that will break your friends page.Collapse )

Googling "cron being called twice" brought up the reasonable suggestion to check to see if you have two cron processes running. I checked. Negative, just once. I am rebooting the server now, and will see how it comes up... yeah, comes up with just one cron process.

(Actually googling "cron being called twice" brought up a lot of unhappy sysadmins across a lot of unices, all mostly not being able to figure out why their cron job is being fired twice.)

Thoughts? Suggestions?

[* As a side question: why is /var/log/cron.log yelling at me? Unix is case sensistive: there is no such thing as "/USR/SBIN/CRON" on my box, it's "/usr/sbin/cron". WTH?]

Sat, Apr. 12th, 2014, 09:42 pm
[law, tech, USA] The 5th Amendment and Encryption

Okay, I recently heard that 5th amendment privilege extends to not being forced to give up passwords, but I just found out the details are not what I understood, and apparently not what my friends who I discussed this with understood.

From Wired, quoting the decision of U.S. Magistrate William Callahan Jr. of Wisconsin:
This is a close call, but I conclude that Feldman’s act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with ‘reasonably particularity’—namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman.
(emphasis mine)
Feldman didn't enjoy the 5th Amendment privilege not have to produce the password because the encrypted drive's contents would incriminate him. Feldman didn't have to produce the password because doing so would prove the encrypted drive was his.

From The Volokh Conspiracy on a different case that came to a different result but the same conclusion on the 5th Amendment and passwords:
If I’m reading Fricosu correctly, the Court is not saying that there is no Fifth Amendment privilege against being forced to divulge a password. Rather, the Court is saying that the Fifth Amendment privilege can’t be asserted in a specific case where it is known based on the facts of the case that the computer belongs to the suspect and the suspect knows the password.
Again, if it's already been established that the encrypted volume is yours and you have the password, the fact that unlocking it would decrypt information that would implicate you in a crime is not considered to make you eligible for 5th amendment privilege. Fifth amendment privilege only kicks in when they can't prove it's your device or that you ever had control of it -- where producing the password proves that you had access to it all along, and that fact had not been already established.

Unless there's other case law I don't know about. In which case please post a cite.

Sat, Apr. 12th, 2014, 06:02 pm
[tech, crypto] True Randomness and the "Good Password"?

Crypto people:

Actual randomness turns out to be uncooperative. I'm trying to generate new passwords with my D&D dice and an ASCII table, and, randomness being random, I wound up with a nice, easy to remember password with only lowercase letters and a couple of punctuation marks. No uppercase letters, no numbers. One letter repeated twice.

So what is more important for a strong password? A tasteful, random-looking mix of characters, or actual randomness?

Extra credit:

Are there punctuation characters which are a bad idea to include in a password due to likeliness of accidentally fuzz testing web applications? Are there characters typically disallowed?

The reason I ask is that I use an email address with a plus sign in it, and I get to find out everyone who fails to URLencode the "unsubscribe" links in their newsletters.

Should I just not worry about it, and trust that if I accidentally inject their server with my password, well, they had it coming?

Fri, Apr. 11th, 2014, 06:45 pm
[tech, newmedia] Fwd: NSA knew about Heartbleed

Via fabrisse who says "The source is generally slightly to the right of Attila the Hun, so have your salt ready." NSA said to have used Heartbleed bug and left consumers exposed:
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government's top computer experts.

[...]

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.

Controversial practice

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”

[...]

Free code

While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.

In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency's toolkit for stealing account passwords and other common tasks.

Wed, Apr. 9th, 2014, 11:18 pm
[tech, nas] Not my script, but now my problem (run-parts?)

Now that I have root on my nas, I have discovered that all along, my poor little nas has been trying to notify someone that one of its daily cron jobs was exiting with return code 1. The notifications wound up in dead.letter in ~/root.

So I went poking around, and discovered that the offender is /etc/cron.daily/apachelogrotate. Okay fine. What's apachelogrotate? It's a script:
#!/bin/sh
rotate_log() {
  APACHELOG_DIR=$(dirname $1)
  APACHELOG_FILE=$(basename $1)
  ROTATE_MAX=$2
  [ -z $ROTATE_MAX ] && ROTATE_MAX=5

  LOGFILES=$(ls -t ${APACHELOG_DIR}/${APACHELOG_FILE}.* 2>/dev/null)
  count=0
  for logfile in $LOGFILES; do
    count=$((count + 1))
    [ "$count" -gt "$ROTATE_MAX" ] && rm $logfile
  done
}
rotate_log /var/log/apache2/access_log 5
rotate_log /var/log/apache2/error_log 5
rotate_log /var/log/apache2/ssl_request_log 5
When I run this at the command line, I get no errors. In fact, I get no response, which is as it should be, I think -- all the logs are all rotated.

But cron calls this by means of run-parts --report /etc/cron.daily, and when I run that at the command line, I get the same error that I saw in dead.letter, confirming that that was the source.

Some creative commenting and I have verified that the one line in there which actually does anything -- '[ "$count" -gt ' etc -- is the one which (when called by run-parts) causes run-parts to report a return code 1.

I give up: why is it doing this, why is it only doing it when called by run-parts (the manual of which did not suggest anything to me), what is in the wrong, and how should I make it stop?

ETA: resolved! My script now says:
#!/bin/sh

#set -x
ERRORCOUNT=0
rotate_log() {
  APACHELOG_DIR=$(dirname $1)
  APACHELOG_FILE=$(basename $1)
  ROTATE_MAX=$2
  [ -z $ROTATE_MAX ] && ROTATE_MAX=5

  LOGFILES=$(ls -t ${APACHELOG_DIR}/${APACHELOG_FILE}.* 2>/dev/null)
  count=0
  for logfile in $LOGFILES; do
    count=$((count + 1))
	if [ "$count" -gt "$ROTATE_MAX" ] ; then
		rm $logfile
		ERRORCOUNT=$(( $ERRORCOUNT + $? )) 
	fi
  done
}
rotate_log /var/log/apache2/access_log 5
rotate_log /var/log/apache2/error_log 5
rotate_log /var/log/apache2/ssl_request_log 5

exit $ERRORCOUNT
Which seems to do the right thing.

Tue, Apr. 8th, 2014, 10:46 pm
[tech, newmedia, setec astronomy] Heartbleed (List of sites?)

A profound vulnerability in OpenSSL was found yesterday. It's called "Heartbleed". (CVE-2014-0160) Something absurd like 3/4ths of all SSL installs were vulnerable. Via readwrite.com:
Heartbleed, a long-undiscovered bug in cryptographic software called OpenSSL that secures Web communications, may have left roughly two-thirds of the Web vulnerable to eavesdropping for the past two years
While a site is/was running the vulnerable version of OpenSSL, that site's:

• Certificates could have been stolen, such that even if/when the OpenSSL install is patched, antagonists could still evesdrop everything communicated to the site (and presumably masquerade as the site, though nobody seems to be mentioning that); and

• Users' usernames and passwords could have been stolen off the site; and

• Absolutely anything else that might have been in memory (SSNs, CC#, PHI, you name it) was also vulnerable to being scooped up; and

• There is no way to tell whether this was done.

While Microsoft, Google, and Apple managed to sidestep this one, Yahoo -- including Tumblr and Flickr -- were wide open for much of the day. Very many other sites were too. As of about 30 minutes ago when I checked, Sendhub.com, Phone.com. and Tracfone.com are all still open. You can use http://filippo.io/Heartbleed/ to test sites for the vulnerability.

My question for those of you keeping up on these things: has anyone put together a list of sites that were vulnerable, but now their SSL install is patched?

Because I'd like to know whether I need to change my password on a site, and I'd like to know if I should be checking the date of issue on their SSL Certs before I do. If a site comes up "unaffected" on filippo's checker, that doesn't tell me how it was 10 hours ago.

Also, out of morbid curiosity, I'd like to know how you get a web server to randomly divulge chunks of memory. I mean, this bug isn't just "the SSL doesn't keep your transmission secure", it's "This SSL implementation divulges secrets it wasn't even being used to secure." It's like, it's not even a guard dog that fails to drive off burglars. It's a guard dog that when told "Fetch, boy!" by the nice man in the mask across the street, runs inside, runs upstairs, operates the combination lock on your safe with his tongue, and then brings your valuables down to the guy, and, tail wagging, waits for pettins and treats. I mean seriously: wut.

Sun, Apr. 6th, 2014, 01:34 am
[movie review, pshrinkery] The Way (2010)

I finally got around to seeing "The Way" (2010). It was really good. I enjoyed it lots. Recommended.

Apparently, from our anecdata, the best chance you have to maximally enjoy this film is to see it on the big screen, in a room full of therapists. I think that is because the big screen connects you with the landscape, which is so important to the story, and because therapists as a species are willing to laugh at the humor levening what is a deeply sad and, though ultimately hopeful, darned emotionally intense story. Without recognizing that humor -- which is true comic relief -- it's probably quite the slog.

I found it absolutely engrossing, something I can rarely say of films any more. The unorthodox pacing really, really worked for me. I saw it at a CEU function, and chatting with one of the other attendees, I observed that the pacing set up a kind of inexorability which echoed the experience of the characters in the story, and indeed the fundamental experience of going on pilgrimage: having committed to the journey, it takes what it takes, unfolding in its own time, and you just have to let it do its thing. On further reflection, it also echos the fundamental emotional project of the protagonist: the inexorable process of grief at the death of a loved one, which will not be hurried or rushed. While the pacing is slow, it never tarries: it is, in fact, relentless in its methodical forward motion, rolling like a train on its tracks.

Not only didn't the film insult my intelligence, it didn't insult my widsom either. It's a deeply humane film, and an emotionally intelligent one. It dealt with the relationship of anger to grief in a remarkably mature way, and showed a complex conflictual father-son relationship. It was broad, capacious and yet not grandiose. It has far more story than message. It doesn't feel the need to spell everything out.

I was very touched by how it showed the relationship between the pilgrims; it's the only film I can think of that shows how people can be supportive of one another by giving them space, while still being present. In fact, over and over, emotional support is something that is provided by deeds, not words, which makes it a very unusual movie. It is perhaps no surprise that the emotional climax of the film has no dialog at all.

So with that counsel in mind, I'll end this review about here. Recommended. Do be aware it concerns a father's experience of the death of his adult son (not a spoiler), and plan accordingly.

Thu, Apr. 3rd, 2014, 01:21 am
[games] Okay, I can stop now.

Maybe.

2048 played to 4096

Wed, Apr. 2nd, 2014, 06:38 pm
[law, US] Does the 5th Amendment apply to witnesses not the defendent?

Today a patient asked me an interesting question. He is a witness in a criminal matter, and the defendent called him to tell him that if he testified, the defendent's attorney would ask him a question -- a reasonable-sounding one about his knowledge of the defendent's previous similar crimes -- which would expose him to prosecution.

Can you plead the fifth if you're on the stand and not the defendent?

(Also, what should he do about the witness intimidation angle? Call the DA and say, "Hey, the defendent threatened me with exposing in court a crime I committed if I testify against him?" That seems.... risky.)

As he pointed out to me, he, merely being a witness, doesn't have a lawyer of his own to query, and he certainly doesn't have the money for one.

Suggestions?

ETA: Thank all! My client has now been duly apprised of his rights, both regarding the 5th amendment in general, and to approach the judge and ask that legal counsel be assigned him.

10 most recent