Quantcast
Channel: Blargh
Browsing all 115 articles
Browse latest View live
↧

gettimeofday() should never be used to measure time

gettimeofday() and time() should only be used to get the current time if the current wall-clock time is actually what you want. They should never be used to measure time or schedule an event X time...

View Article


OpenSSH certificates

The documentation for OpenSSH certificates (introduced in OpenSSH 5.4) are, shall we say, a bit lacking. So I'm writing down the essentials of what they are and how to use them. What they are NOT...

View Article


Yubico is awesome

Yubico and their products are awesome. That pretty much sums up this blog post but I'm going to go on anyway. If you're thinking of introducing two-factor authentication to your company, or you're...

View Article

Optimizing TCP slow start

The short version of the problem and solution I will describe is that while TCP gets up to speed fairly fast, and "fast enough" for many uses, it doesn't accelerate fast enough for short-lived...

View Article

Secure browser-to-proxy communication

When connecting to a possibly hostile network I want to tunnel all traffic from my browser to some proxy I have set up on the Internet. The obvious way to do this is with a proxy. The problem with...

View Article


TPM-backed SSL

This is a short howto on setting up TPM-backed SSL. This means that the secret key belonging to an SSL cert is protected by the TPM and cannot be copied off of the machine or otherwise inspected....

View Article

Image may be NSFW.
Clik here to view.

Benchmarking TPM-backed SSL

As you can plainly see from this graph, my TPM chip can do approximately 1.4 SSL handshakes per second. A handshake takes about 0.7 seconds of TPM time, so when two clients are connecting the average...

View Article

Be careful with hashmaps

As you remember from long ago hashes are O(1) best case, but can be O(n) if you get hash collisions. And if you're adding n new entries that means O(n^2). I thought I'd take a look at the...

View Article


Image may be NSFW.
Clik here to view.

Shared libraries diamond problem

If you split up code into different libraries you can get a diamond dependency problem. That is you have two parts of your code that depend on different incompatible versions of the same library....

View Article


Interesting Arping bug report

A few months ago I was strolling in the Debian bug tracking system and found a curious bug filed against Arping, a program I maintain. It said that unlike Arping 2.09, in Arping 2.11 the ARP cache was...

View Article

Compiling C++ statically

To properly compile a static C++ binary on Linux you have to supply -static, -static-libgcc and -static-libstdc++ when linking. That's fucked up. Never EVER think that linking (at link time or...

View Article

Image may be NSFW.
Clik here to view.

Plug computer for always-on VPN

Last time I was at a hacker conference I for obvious reasons didn't want to connect to the local network. It's not just a matter of setting up some simple firewall rules, since the people around you...

View Article

GPG and SSH with Yubikey NEO

I'm a big fan of hardware tokens for access. The three basic technologies where you have public key crypto are SSH, GPG and SSL. Here I will show how to use a Yubikey NEO to protect GPG and SSH keys...

View Article


Why Go is not my favourite language

Go has exceptions and return values for error Yes it does. Yes, it really really does. We can discuss this for hours but in the end it boils down to four points: In Go some errors cause stack...

View Article

Image may be NSFW.
Clik here to view.

Next-hop resolution and point-to-point

I had this blog post lying around as a draft for a long time. I didn't think it was was "meaty" enough yet, but since I'm no longer a network consultant I don't think it'll become any meatier. So here...

View Article


Fixing high CPU use on Cisco 7600/6500

Recently some time ago (this blog post has also been lying in draft for a while) someone came to me with a problem they had with a Cisco 7600. It felt sluggish and "show proc cpu" showed that the weak...

View Article

TPM chip protecting SSH keys

Update 2: I have something I think will be better up my sleeve for using the TPM chip with SSH. Stay tuned. In the mean time, the below works. Finally, I found out how to use a TPM chip to protect SSH...

View Article


Should I generate my keys in software or hardware?

A Hardware Security Module (HSM) is any hardware that you can use for crypto operations without revealing the crypto keys. Specifically I'm referring to the Yubikey NEO and TPM chips, but it should...

View Article

TPM chip protecting SSH keys - properly

Not long after getting my TPM chip to protect SSH keys in a recent blog post, it started to become obvious that OpenCryptoKi was not the best solution. It's large, complicated, and, frankly, insecure....

View Article

How TPM-protected SSH keys work

In my last blog post I described how to set up SSH with TPM-protected keys. This time I'll try to explain how it works. I was very tired when I wrote this. I'll re-read it tomorrow to check if I got...

View Article
Browsing all 115 articles
Browse latest View live