Few things piss me off more than a huge, multi-billion IT corporation that suddenly sends me an email regarding an open-source project I’ve been running since 1990’s that I’ve recently shut down due to absolute lack of interest from its users… which happened to be telcos and large IT companies. Here’s what I replied:

Thank you for your email. As it’s often the case with open-source projects, their value to organisations is only noticed and appreciated when they go offline. I have maintained pam_tacplus for the last years and it had the call for sponsorship prominently displayed for most of the time specifically because it’s a legacy project that is difficult to maintain. None of the commercial companies that clearly do rely on it ever demonstrated any interest in even nominal donations, so it was archived. While it’s notable someone finally noticed it, I’m not the person to discuss any future development any more.

I did work in large companies and I do understand the sick logic that drives them, when it’s easier to get approval for annual spending of $50k for some office decorations than $100 for a mission-critical project which happens to be open-source and can be used for free for some time.

But it’s possible. If you’re working in such roles, please make every effort to get this $100 because otherwise it will become your responsibility to develop and maintain code that you always got for free.

Von der Leyen komplett defekt und korrupt, WTF? 😳

EU-Kommission verklagt Datenschutzbeauftragten

"Die EU-Kommission verklagt den EU-Datenschutzbeauftragten, weil sie weiterhin Produkte von Microsoft nutzen will."
#TeamDatenschutz #AllesAnzünden 🔥🔥🔥
https://tarnkappe.info/artikel/it-sicherheit/datenschutz/eu-kommission-verklagt-datenschutzbeauftragten-298192.html

Nein, so geht das nicht. Es steht eben nicht im Ermessen einer Sicherheitsbehörde, was sie tun will. Und Maßnahmen müssen konkret, transparent und verhältnismäßig sein. Grundrechte können nicht einfach eingeschränkt werden, das ist der klare Auftrag des Grundgesetzes. Und dies hat auch das Bundesverfassungsgericht dem Gesetzgeber oft genug deutlich gemacht. Ganz ehrlich: Diese Haltung, die im Zitat zum Ausdruck kommt, macht mir Angst [2/2]

In der Debatte über meinen Tätigkeitsbericht hat eine Vertreterin von CDU/CSU folgendes gesagt: „Da ich vorhin schon einmal von den polizeilichen Er-
mittlungsbehörden gesprochen habe, darf ich auch noch
das Bundespolizeigesetz ansprechen. Hier bemängelt der
Datenschutzbeauftragte die Frage der Erforderlichkeit im
Einzelnen, die immer noch genauer dargelegt werden
muss. Ich sage Ihnen eines: Erforderlich ist alles, was
die Menschen schützt; so einfach ist diese Regelung zu
treffen.“ [1/2]

Danke an die Verantwortlichen der #Grugahalle, für den tollen Fahnenschmuck zum AfD-Parteitag.

@katjaberlin: „Früher musste man noch Karl Marx lesen, um als links zu gelten. Heute reicht es schon, auf einem Fahrrad zu sitzen und nicht überfahren werden zu wollen.“

„An der Universität gibt es jetzt Dienstfahrräder?“ „Trittmittelförderung.“

„AfD-Abgeordnete gehen gezielt gegen gemeinnützige Vereine vor:
Ziel ist Aberkennung der Gemeinnützigkeit“
#gemeinnützig #AfD #Verbotspartei #schwarwel

Ok, jetzt wirds lustig. Alle OpenR@athaus Instanzen, also die egovernment Services aus 300 Kommunen sind jetzt einfach mal offline. Danke
@bsi !

Und ich dachte, meine Dunstabzugshaube mit App-Steuerung ist das bescheuertste was es gibt...

Heute am Frühstückstisch einen miesen Lachflash bekommen … Danke @sueddeutsche_feed

“I could rewrite #curl”

Here's my collection of some less cheerful quotes to keep me firmly grounded. Blogged three years ago today:

https://daniel.haxx.se/blog/2021/05/20/i-could-rewrite-curl/

I wish more people who are worried about FOSS supply side attacks would realize that universal basic income and free healthcare would result in an almost infinite stream of excellent software from people who care more about quality than profit.

@dgar

Intelligent Cat Humor

#catsofmastodon

This xz backdoor thing reminds me of a story I heard from friends that worked at a tech company that made cell phones. They had a great coder that worked on the project, he had put in work as a contractor for a few months, and due to the quality of his work he was hired in full time. After two months he simply stopped showing up to the office.

An investigation turned up the following interesting items. His account had accessed all files including source code to *all* cellular projects - in that he had apparently downloaded a copy of everything. He had committed a large amount of contributions to the project he was assigned to. None of his paychecks were ever cashed. A wellness check to the house he had rented was performed and the house was completely empty. Per the landlord he'd paid for 6 months rent in advance in cash. Apparently he never physically moved in. No record for him nor his social security number seemed to check out. The guy was a ghost.

I was asked about recommendations on future prevention by friends who worked there - no idea how far they got in their investigation, if backdoors were ever found or even existed, or if the Feds were ever involved. The punch line? This was probably a couple of decades ago.

This shit is real, and it has been going on for a long time.

#infosec

Super happy with my Framework laptop by the way!

The module system is great. I printed a snack drawer today! Now I can always take three peanuts with me!

Docusign just admitted that they use customer data (i.e., all those contracts, affidavits, and other confidential documents we send them) to train AI:

https://support.docusign.com/s/document-item?language=en_US&bundleId=fzd1707173174972&topicId=uss1707173279973.html

They state that customers "contractually consent" to such use, but good luck finding it in their Terms of Service. There also doesn't appear to be a way to withdraw consent, but I may have missed that.

@shortridge While working tech support, I got a call on a Monday. Some VPNs which had been working on Friday were no longer working. After a little digging, we found the negotiation was failing due to a certificate validation failure.

The certificate validation was failing because the system couldn’t check the certificate revocation list (CRL).

The system couldn’t check the CRL because it was too big. The software doing the validation only allocated 512kB to store the CRL, and it was bigger than that. This is from a private certificate authority, though, and 512kB is a *LOT* of revoked certificates. Shouldn’t be possible for this environment to hit within a human lifespan.

Turns out the CRL was nearly a megabyte! What gives? We check the certificate authority, and it’s revoking and reissuing every single certificate it has signed once per second.

The revocations say all the certificates (including the certificate authority’s) are expired. We check the expiration date of the certificate authority, and it’s set to some time in 1910. What? It was around here I started to suspect what had happened.

The certificate authority isn’t valid before some time in 2037. It was waking up every second, seeing the current date was after the expiration date and reissuing everything. But time is linear, so it doesn’t make sense to reissue an expired certificate with an earlier not-valid-before date, so it reissued all the certs with the same dates and went to sleep. One second later, it woke up and did the whole process over again. But why the clearly invalid dates on the CA?

The CA operation log was packed with revocations and reissues, but I eventually found the reissues which changed the validity dates of the CA’s certificate. Sure enough, it reissued itself in 2037 and the expiration date was set to 2037 plus ten years, which fell victim to the 2038 limitation. But it’s not 2037, so why did the system think it was?

The OS running the CA was set to sync with NTP every 120 seconds, and it used a really bad NTP client which blindly set the time to whatever the NTP server gave it. No sanity checking, no drifting. Just get the time, set the time. OS logs showed most of the time, the clock adjustment was a fraction of a second. Then some time on Saturday, there was an adjustment of tens of thousands of seconds forward. The next adjustment was hundreds of thousands of seconds forward. Tens of millions of seconds forward. Eventually it hit billions of seconds backwards, taking the system clock back to 1904 or so. The NTP server was racing forward through the 32-bit timestamp space.

At some point, the NTP server handed out a date in 2037 which was after the CA’s expiration. It reissued itself as I described above, and a date math bug resulted in a cert which expired before it was valid. So now we have an explanation for the CRL being so huge. On to the NTP server!

Turns out they had an NTP “appliance” with a radio clock (i.e, a CDMA radio, GPS receiver, etc.). Whoever built it had done so in a really questionable way. It seems it had a faulty internal clock which was very fast. If it lost upstream time for a while, then reacquired it after the internal clock had accumulated a whole extra second, the server didn’t let itself step backwards or extend the duration of a second. The math it used to correct its internal clock somehow resulted in dramatically shortening the duration of a second until it wrapped in 2038 and eventually ended up at the correct time.

Ultimately found three issues:
• An OS with an overly-simplistic NTP client
• A certificate authority with a bad date math system
• An NTP server with design issues and bad hardware

Edit: The popularity of this story has me thinking about it some more.

The 2038 problem happens because when the first bit of a 32-bit value is 1 and you use it as a signed integer, it’s interpreted as a negative number in 2’s complement representation. But C has no protection from treating the same value as signed in some contexts and unsigned in others. If you start with a signed 32-bit integer with the value -1, it is represented in memory as 0xFFFFFFFF. If you then use it as an unsigned integer, it becomes the value 4,294,967,296.

I bet the NTP box subtracted the internal clock’s seconds from the radio clock’s seconds as signed integers (getting -1 seconds), then treated it as an unsigned integer when figuring out how to adjust the tick rate. It suddenly thought the clock was four billion seconds behind, so it really has to sprint forward to catch up!

In my experience, the most baffling behavior is almost always caused by very small mistakes. This small mistake would explain the behavior.

Zero Trust Environments