gettimeofday() should never be used to measure time
gettimeofday() and time() should only be used to get the current time if the current wall-clock time is actually what you want. They should never be used to measure time or schedule an event X time...
View ArticleOpenSSH certificates
The documentation for OpenSSH certificates (introduced in OpenSSH 5.4) are, shall we say, a bit lacking. So I'm writing down the essentials of what they are and how to use them. What they are NOT...
View ArticleYubico is awesome
Yubico and their products are awesome. That pretty much sums up this blog post but I'm going to go on anyway. If you're thinking of introducing two-factor authentication to your company, or you're...
View ArticleOptimizing TCP slow start
The short version of the problem and solution I will describe is that while TCP gets up to speed fairly fast, and "fast enough" for many uses, it doesn't accelerate fast enough for short-lived...
View ArticleSecure browser-to-proxy communication
When connecting to a possibly hostile network I want to tunnel all traffic from my browser to some proxy I have set up on the Internet. The obvious way to do this is with a proxy. The problem with...
View ArticleTPM-backed SSL
This is a short howto on setting up TPM-backed SSL. This means that the secret key belonging to an SSL cert is protected by the TPM and cannot be copied off of the machine or otherwise inspected....
View ArticleClik here to view.
Benchmarking TPM-backed SSL
As you can plainly see from this graph, my TPM chip can do approximately 1.4 SSL handshakes per second. A handshake takes about 0.7 seconds of TPM time, so when two clients are connecting the average...
View ArticleBe careful with hashmaps
As you remember from long ago hashes are O(1) best case, but can be O(n) if you get hash collisions. And if you're adding n new entries that means O(n^2). I thought I'd take a look at the...
View ArticleClik here to view.
Shared libraries diamond problem
If you split up code into different libraries you can get a diamond dependency problem. That is you have two parts of your code that depend on different incompatible versions of the same library....
View ArticleInteresting Arping bug report
A few months ago I was strolling in the Debian bug tracking system and found a curious bug filed against Arping, a program I maintain. It said that unlike Arping 2.09, in Arping 2.11 the ARP cache was...
View ArticleCompiling C++ statically
To properly compile a static C++ binary on Linux you have to supply -static, -static-libgcc and -static-libstdc++ when linking. That's fucked up. Never EVER think that linking (at link time or...
View ArticleClik here to view.
Plug computer for always-on VPN
Last time I was at a hacker conference I for obvious reasons didn't want to connect to the local network. It's not just a matter of setting up some simple firewall rules, since the people around you...
View ArticleGPG and SSH with Yubikey NEO
I'm a big fan of hardware tokens for access. The three basic technologies where you have public key crypto are SSH, GPG and SSL. Here I will show how to use a Yubikey NEO to protect GPG and SSH keys...
View ArticleWhy Go is not my favourite language
Go has exceptions and return values for error Yes it does. Yes, it really really does. We can discuss this for hours but in the end it boils down to four points: In Go some errors cause stack...
View ArticleClik here to view.
Next-hop resolution and point-to-point
I had this blog post lying around as a draft for a long time. I didn't think it was was "meaty" enough yet, but since I'm no longer a network consultant I don't think it'll become any meatier. So here...
View ArticleFixing high CPU use on Cisco 7600/6500
Recently some time ago (this blog post has also been lying in draft for a while) someone came to me with a problem they had with a Cisco 7600. It felt sluggish and "show proc cpu" showed that the weak...
View ArticleTPM chip protecting SSH keys
Update 2: I have something I think will be better up my sleeve for using the TPM chip with SSH. Stay tuned. In the mean time, the below works. Finally, I found out how to use a TPM chip to protect SSH...
View ArticleShould I generate my keys in software or hardware?
A Hardware Security Module (HSM) is any hardware that you can use for crypto operations without revealing the crypto keys. Specifically I'm referring to the Yubikey NEO and TPM chips, but it should...
View ArticleTPM chip protecting SSH keys - properly
Not long after getting my TPM chip to protect SSH keys in a recent blog post, it started to become obvious that OpenCryptoKi was not the best solution. It's large, complicated, and, frankly, insecure....
View ArticleHow TPM-protected SSH keys work
In my last blog post I described how to set up SSH with TPM-protected keys. This time I'll try to explain how it works. I was very tired when I wrote this. I'll re-read it tomorrow to check if I got...
View Article