Go has exceptions and return values for error
Yes it does. Yes, it really really does.Read the rest of this entry »
I'm a big fan of hardware tokens for access. The three basic technologies where you have public key crypto are SSH, GPG and SSL. Here I will show how to use a Yubikey NEO to protect GPG and SSH keys so that they cannot be stolen or copied. (well, they can be physically stolen, of course).Read the rest of this entry »
Last time I was at a hacker conference I for obvious reasons didn't want to connect to the local network. It's not just a matter of setting up some simple firewall rules, since the people around you are people who have and are inventing new and unusual attacks. Examples of this would be rogue IPv6 RA and NDs, and people who have actually generated their own signed root CAs. There's also the risk (or certainty) of having all your unencrypted traffic sniffed and altered.
For next time I've prepared a SheevaPlug computer I had laying around. I updated it to a modern Debian installation, added a USB network card, and set it up to provide always-on VPN. This could also be done using a raspberry pi, but I don't have one.Read the rest of this entry »
To properly compile a static C++ binary on Linux you have to supply
-static-libstdc++ when linking.
It said that unlike Arping 2.09, in Arping 2.11 the ARP cache was not updated after successful reply. I thought that was odd, since there's no code to touch the ARP cache, neither read nor write. Surely this behaviour hasn't changed?Read the rest of this entry »
If you split up code into different libraries you can get a diamond dependency problem.
That is you have two parts of your code that depend on different incompatible versions of the same library.
Normally you shouldn't get in this situation. Only someone who hates their users makes a non backwards compatible change to a library ABI. You don't hate your users, do you?Read the rest of this entry »
As you remember from long ago hashes are
O(1) best case, but can be
if you get hash collisions. And if you're adding
n new entries
I thought I'd take a look at the hash_set/hash_map GNU C++ extension.Read the rest of this entry »
As you can plainly see from this graph, my TPM chip can do approximately 1.4 SSL handshakes per second. A handshake takes about 0.7 seconds of TPM time, so when two clients are connecting the average connect time is 1.4 seconds. This means probably not useful on server side, but should be good for some client side applications.Read the rest of this entry »
This is a short howto on setting up TPM-backed SSL. This means that the secret key belonging to an SSL cert is protected by the TPM and cannot be copied off of the machine or otherwise inspected.
Meaning even if you get hacked the attackers cannot impersonate you, if you manage to kick them off or just shut down the server. The secret key is safe. It has never been outside the TPM and never will be.
This can be used for both client and server certs.Read the rest of this entry »
When connecting to a possibly hostile network I want to tunnel all traffic from my browser to some proxy I have set up on the Internet.
The obvious way to do this is with a proxy. The problem with that is that the traffic from the browser to the proxy is not encrypted. Even when you browse to secure SSL sites some traffic is being sent in the clear, such as the host name. That's not so bad, but I want to hide my HTTP traffic too.Read the rest of this entry »