Older blog entries for Stevey (starting at number 151)

After managing this once a few months ago I'm having serious trouble trying to get Debian built from source on a spare building box.

I've retired my previous box, and am replacing it with a Dell Lx800, which is intended to rebuild all the packages I have installed from source, in a gentoo like fashion.

(I am purely doing this so that I can take advantage of the SSP support in GCC, not to gain insane optimisations)

Any people who've done this feel free to mail me "skx at debian dot orgy"

distcc inadequacies

Distcc is a distributed compiling environment for gcc, it supports building source on a pretty arbitary number of machines.

I've even seen a knoppix derivitive which is optimiseed for this, the idea being you boot a roomfull of boxes with it, and they're all setup as little compilation servers.

However it is less than ideal, you have to give it a list of all the machines that are "alive" for compiling.

This seems wrong to me, I can't help thinking that each available node should respond to a ping of some kind - that way when you boot up half the machines in the office one evening you can just get your "source machine" to sweep the local subnet for active machines to send jobs to.

Surely somebody has already done this?

I imagine it would be trivial to write a program to respond to an ICMP echo packet, or UDP broadcast with an "I'm alive" message - so it wouldn't even have to be integrated into the program itself.

Comments?

I think I'm getting the hang of selling myself now.

Somebody asked for a quote to drop a caching proxy server into a medium sized office.

I initially though "cheapish dedicated PC + debian stable + squid" = 400 pounds.

My quote? 950 + 50 pounds a month for maintainence.

I am so glad I did the negotiation over the phone, no way could I have quoted that in person I'd have been too busy laughing.

I remeber reading about this a while back on Joelonsoftware but it is the first time I've tried it. Mostly because I could afford to lose the job at the end of the day.

To an average company there's no difference between 600 and 900, so long as its less than 1000 it's ok.

Charging more even makes you look more respectible to a certain class of employer.

Thanks to the availability of high quality emulators for my first computer I've spent a while this week working on random ZX Spectrum hacking.

Even now I think there a lot of relaxation and fun to be had just poking through memory, and disassembling z80 machine code.

Sure I like x86 but there's nothing quite like the purity of a non-segmented architecture which still has a funky instruction set.

Today my favourite instructions have been "LDIR" and "XLAT" on z80 and x86 respectively.

I even wrote a small piece about shellcode obfuscation inspired by the Speedlock copy protection software used on old spectrum cassette tapes.

Happy days ..

Due to the appalling manner in which I've left logcheck I'm orphaning it.

I'm sad that this was necessary, but doing it now is definately the right thing to do.

I offered it back to jjm, but no dice, so see 244271 if you wish to take it.

Another DSA published DSA-484 xonix, details.

Although compared to the recent rash of kernel upgrades it is pretty trivial.

Several interesting security related discussions have been happening, with people telling me what to do. Mostly they have been making positive suggestions and trying to help, but a few folk haven't been so encouraging.

I guess it's a question of trying to balance looking at things against looking for work, and spending time away from computers which does seem increasingly attractive. Much like my girls.

Badness

I managed to lose some important code through not having it checked into CVS, and not paying attention on which host I was sat at.

This really does make me wish to resign all interest in the program I was upgrading, and that coupled with extreme lack of time will probably make me do so.

I guess it's a bad end to a bad job.

</cryptic>

Goodness

I'm in the process of setting up a new Debian box to donate to a friend so that she doesnt have to die of frustration with the Windows laptop she has.

Her machine is donated to her as part of her job (as a schoolteacher) and she's pretty much unable to touch it, either through technical lockdowns or through policy.

When she comes to stay with me in the next school holiday it will be ready for her to take away.

A nice Dell Inspiron Lx800 box, not amazing, but not bad. I ran one as my primary Linux desktop at work for a long time and it performed adequately in all respects except for OpenGL / 3D stuff. (I forget what card is in the box.)

After spotting an updated version of GCC when updating my home unstable box I've updated my SSP enabled version of GCC.

These packages seem quite popular, and more testing is always appreciated. The following lines are the appropriate magic to include in /etc/apt/sources.list

#
#  SSP Compiler
#
deb     http://people.debian.org/~skx/apt/unstable ./
deb-src http://people.debian.org/~skx/apt/unstable ./

SSP is the new name for the collection of patches formerly known as ProPolice.

The extra code adds buffer overflow protection to static buffers, functions, etc.

Whilst compiled code using this protection isn't immune to exploitation it significantly raises the bar and it's a simple means of augmenting a systems security.

I'd love to rebuild the whole of Debian using it, but I dont have the space or bandwidth to distribute it - donations of either welcome ;)

There is good information on the work available at the upstream site - I've also got some information available online at shellcode.org.

I've had success rebuilding large chunks of Debian to use it - from less, sudo, screen, all the way up to big packages such as perl and mozilla.

The only things I've not managed to get working due to disk space concerns is X11. I've also rebuild the kernel because I'm scared!

I'm glad you appreciated the hex diary entry, I had fun making it. I got quite a few comments about it too.

I can normally convert from HEX to ASCII mentally, but going the other way round was a little challenging.

I too used to play with lowlevel stuff, although I've not been doing so much interesting novel things for a while.

Computery Goodness

I wrote a brief walkthrough of how an audit could be done to explain it to a friend.

I also wrote a simple interactive explaination of how XSS attacks work, after mailing a friend about the freshmeat hole and getting a "Huh?" response.

Excuse the simpleness and formatting of both of them - written in a hurry to explain things as best I could.

I may well tidy them up later, not sure there's much need/interest.

Work

No change at work, but I get the day "off" tomorrow. Spending most of the day travelling for a meeting which takes place in the afternoon.

I hope it goes well. I've prepared as well as I can, but I'm sure there will be sudden suprises regardless.

The auditing work continues.

Last night I waded through twelve packages and found that eight of them had exploitable flaws. That's in italics because none of them were installed setuid/setgid.

There are two ways to look at this I guess:

• People don't code securely when they don't need to
• People never code securely at all, unless they are being very careful, and it was just luck these weren't privileged apps.

Sometimes I feel good when I spot flaws like this, but right now I'm back in the righteous rage; why can't people do this stuff right?

We see the same problem time after time, after time. Is it because a lot of developers just don't get taught this stuff? Is it because they think they will fix it later?

Who knows?

The frustrating thing is that even with fine documents like the secure programming HOWTO nothing changes. I think it doesn't matter how often you tell people what to do, the people that really don't know about this stuff just aren't ever going to read them.

• Released version 2.7 of GNUMP3d - The GNU MP3/Media Streaming Server.
• Discovered an XSS security attack against Freshmeat
  • Details here - the hole was fixed in an impressive 9 hours.

ObDebian

Spent a while building some kernel modules as Debian packages, simple things to play with:

• Trusted path execution
• Adding a "network" group - and allowing all members of that group to bind() to ports <1024

ObEvil

Added some adverts to my homepage - six pages have an amazon advert out of a site of a couple of hundred pages.

(Obviously the high traffic pages ;)

I'm still in two minds about this - but getting ready for redundency with no job offers in site is making me consider the future a little bit more cynically.

char msg[] = { 0x49,0x66,0x20,0x79,  // S
               0x6f,0x75,0x20,0x63,  // t
               0x61,0x6e,0x20,0x72,  // e
               0x65,0x61,0x64,0x20,  // v
               0x74,0x68,0x69,0x73,  // e
               0x20,0x49,0x20,0x77,  // .
               0x61,0x6e,0x74,0x20,  // o
               0x74,0x6f,0x20,0x77,  // r
               0x6f,0x72,0x6b,0x20,  // g
               0x66,0x6f,0x72,0x20,  // .
               0x79,0x6f,0x75,0x2e,  // u
               0x00 };               // k