Tuesday, February 28, 2012

VirtualBox Webcam Activation

Perhaps your webcam turns on when starting a guest VM.  (thread 1, thread 2, thread 3, none with helpful info.  There's also at least one bug for it, only two months old but still silent at time of writing.)

It turns out that this is related to audio.  If I have a VM with the audio disabled—such as one provisioned through vagrant—then it doesn't turn on the webcam.  I conclude that VBox is actually attempting to use the camera's microphone as audio input.

(I'd report this on the bug, if they had OpenID or something.  But building a whole Oracle Account just for this? Meh.)

Monday, February 27, 2012

Broken By Default

This is why everything that uses openssl needs to configure a cipher list:
Mon 12:38 ~$ openssl version
OpenSSL 1.0.0g-fips 18 Jan 2012
Mon 12:38 ~$ openssl ciphers DEFAULT | sed -e 's/:/ /g'
... EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA KRB5-DES-CBC-SHA KRB5-DES-CBC-MD5 EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-KRB5-RC2-CBC-SHA EXP-KRB5-DES-CBC-SHA EXP-KRB5-RC2-CBC-MD5 EXP-KRB5-DES-CBC-MD5 EXP-RC4-MD5 EXP-KRB5-RC4-SHA EXP-KRB5-RC4-MD5
I cut the stronger ciphers from the output, leaving weak ones: everything that is EXP (pre-2000 export strength, 40- or 56-bit keys) or DES.  I decided to let triple-DES slide even though it's legacy and limited to 112 bits of security.  I also let KRB5 and PSK slide, even though my understanding is that they're useless on the public Internet, due to needing to share a Kerberos setup or key (resp.) with the client in advance of the connection being made.

Due to the weak ciphers being included by default, everyone needs to specially configure their server to gain true security.  This means that all admins who want to do it "right" must keep up on all advancements in the field of cryptography, and distinguish real breaks from crackpot allegations.  All admins who want it to "work" will just search the web and paste in whatever cipher suite they find, potentially leaving them vulnerable to BEAST.  Meanwhile, that library we trusted to provide security is doing its best to avoid giving it to us.

In other news: SSL Deployment Best Practices (PDF).

Saturday, February 25, 2012

War Story: The day I nearly invented server management

Long before I knew about puppet (or heard about chef via vagrant), I was working on a system with around 100 virtual hosts, nearly all of them configured from a small pool of standard features.  This made for a long, complicated vhosts.conf file, which we managed by keeping it in alphabetical order and using search a lot.  I realized that a lot of the duplication could be removed by generating it from a template file.

Thursday, February 16, 2012

Just a dream

Last night, I was dreaming that they took all the special variables out of perl because they’re too powerful… everything like $_ and $. and $[.  Basically, all of perlvar was completely removed from the language.

Except, if you knew where to look for it, this one was still there.  You assigned a function to it and it became a handle for modifying Reality itself.  I linked it to tr/[a-z]/[A-Z]/ and pushed the frame of it over the plate-glass window of the bank, and the gold-foil lettering announcing the name of the bank*, indeed, changed to uppercase.

Then I woke up, as I realized that they had left the power in there for their own ends, and would probably kill unauthorized users…


* It was a long, overdone, corporate-flavored name like “Actual Bank of the United States of America, A Global Services Marketplace Group Company” (where "Actual Bank" is the name of a real bank, but not Bank of America.)

Saturday, February 11, 2012

Layer Juggling

Consider:
  1. vim windows (Ctrl+W{w, W, h, j, k, l, ...})
  2. vim tabs (gt, gT, :tab, ...)
  3. screen session (Ctrl+Z ...) [because I liked Ctrl+A as beginning-of-line]
  4. terminal window tabs (Ctrl+{PageUp, PageDown, Shift+PageUp, Shift+PageDown, ...})
  5. application windows, e.g. other terminals (Alt+`, Alt+Shift+`) [a distinction newly required in Unity and Gnome-Shell’s defaults]
  6. other applications (Alt+Tab, Alt+Shift+Tab) [may include all workspaces]
  7. other workspaces (Ctrl+Alt+{↑, ↓} for gnome-shell and Unity, additionally Ctrl+Alt+{←, →} for Unity; also with Shift to drag a window with you)
My setup of Windows at work doesn’t have layers 4, 5, or 7, and it’s still too many to handle effectively.  Even if the command is right for the intent, the wrong result can still happen, for instance when I go to change window in vim and firefox closes a tab or two because it had the keyboard focus.

I get layers 2 and 3 mixed up so frequently that I typically only have tabs open in vim for a wide-ranging interface change inside my code, where I need to update model, validation, and view/controller all at once.  Each of those scopes gets a tab, and the tab is split into windows for each affected file of that particular scope.  If I have to muck around in more than two different layers at once, it gets extremely error-prone.

I think this is the reason people try to do everything inside emacs: if it’s run within a single frame, which I boldly claim is the common case, it combines layers 1 through 4 into a common framework, and leaves only layer 6 as important on the desktop.  You don’t need workspaces to tame a sprawling collection of windows anymore, because most of them are inside emacs.


Subscribe to my feed for the firehose, or check @sapphirepaw_org on twitter for stuff I deem important enough to bother telling the world about.

Thursday, February 9, 2012

TLS (nee SSL) and SSH: A Compact Comparison

TLS and SSH rely on basically the same math for their connections.  The connection is initiated with asymmetric encryption, and part of that is exchanging (encrypted, of course) a symmetric session key for faster encryption of the main session traffic.

The main difference comes in how that initial asymmetric key is determined to be the one that legitimately belongs to the server, rather than an attacker who is trying to intercept communications.

Sunday, February 5, 2012

Race conditions, they're everywhere

Ever since I added an SSD, once in a while, gnome2 won't be able to load a random panel applet on login.  (It was a dual-core system until the slow death of I/O interfaces on the motherboard finally consumed SATA, at which point I replaced it with a quad-core board.)  That means that every now and again, I get an error similar to the following:


This OAFIID is actually relatively transparent.  Sometimes, I get ones that look more like a UUID and I ask the dialog, "How does that give me any information?"  There's not even any indication about what the error was.  (It is floating around in ~/.xsession-errors, with the helpful indication that the child didn't return an error.)

Fortunately, the answer is always the same: Don't Delete.  Things will most likely work next login.

A first impression of gnome-shell

Recently, I picked up a spare 8GB USB thumb drive so that I could test out various distributions.  I spent yesterday running Fedora 16 that way, to give gnome-shell a shake or two, since it was resisting my efforts to get it to run under 3D acceleration in VirtualBox.

It turns out that there's one detail I can't stand, and I'd especially not be able to stand if I were switching between gnome3 at home and MS Windows at work: they broke Alt+Tab by introducing Alt+Grave.  With two browser windows and Rhythmbox open, I kept getting Rhythmbox instead of "the last used window".  Also, the Alt+Tab switcher considers all workspaces, which defeats the point of them.

So the race for "what to do when Ubuntu 12.04 comes out" is down to Unity vs. KDE for me.  (I've been sticking to LTS versions since I no longer particularly like fixing things and adapting to gratuitous changes every six months.)

Thursday, February 2, 2012

Linux and BSD

A long time ago, someone characterized the difference between Linux and FreeBSD something like this: “Linux just hacks stuff in randomly.  BSD guys think about how to do it right, then proceed.”

Given that frame of reference, I think of myself as a BSD style programmer.  It may have taken me a ridiculous amount of time to get Amazon SES up and running, but that’s because I went through the existing open(SENDMAIL, "|$sendmail") style code and replaced it with building the email via Email::MIME, with correct encodings and charsets; now I’m more or less guaranteed to generate MIME compliant messages, without copying around boundary generation etc. through all the places that need to send mail.

And before all that, I had to understand how Perl handled Unicode so that I could understand how to make everything work, always.  For real this time.