[9fans] exportfs security question

[Nathaniel W Filardo]

Hullo 9fans.

Can somebody please explain to my slow mind the purpose of this game in
/sys/src/cmd/exportfs/exportfs.c (and the corresponding half in
cmd/import.c) and where my thoughts on it derail ?

/* exchange random numbers */
srand(truerand());
for(i = 0; i < 4; i++)
  key[i+12] = rand();

if (initial) 
  fatal("Protocol botch: old import\n");
if(readn(netfd, key, 4) != 4)
  fatal("can't read key part; %r\n");

if(write(netfd, key+12, 4) != 4)
  fatal("can't write key part; %r\n");

truerand() returns (at most) 32 bits of entropy, which gets pushed into
srand() and then 32 bits of entropy are read back out... why not just use
truerand() directly?

But wait...

We haven't brought up SSL yet, so Eve can read our exchanged random
numbers... now these values get shoved into SHA-1 (along with the 56 bits of
entropy from Kn derived from p9any authentication) before being used to make
the SSL secrets... but... that doesn't seem to matter much.  Eve sees the
first four, the last four, and knows 1/8th of the middle 8 bytes (p9sk1 gets
an 8-byte secret by unpacking a 7-byte DES key) of the input to the SHA-1
function, meaning...  Eve still only needs to do at most 2^56 SHA-1
operations to search for our SSL secrets [1]...  OK, so Eve can't have
precomputed tables to help her out, fair enough, but this still seems
dubious.

Subsequently, having done all of this, the secrets fed into the SSL stream
contain only 80 bits of entropy, which is itself somewhat small (esp.
relative to the ability of rc4 to use 128 or even 256 bit keys).

Am I missing something obvious?

--nwf;

[1] In fact, since Eve knows the first four bytes of the input, she can run
a reduced version of SHA-1 having precomputed the state of the machine after
the first four rounds (leaving only 76 more to go).


pgpjBe7Z0hmFE.pgp
Description: PGP signature

Re: [9fans] yet another cheapo mips board

[Uriel]

Very nice, found it in Europe for ~50 EUR:
http://landashop.com/catalog/ubiquiti-routerstation-p-848.html

And for a few EUR  more you can get the 'Pro' version with four
Gigabit Ethernet ports and 256Mb of RAM:
http://landashop.com/catalog/ubiquiti-routerstation-p-916.html

uriel

On Wed, Apr 8, 2009 at 1:13 AM, ron minnich  wrote:
> On Tue, Apr 7, 2009 at 2:07 PM, Devon H. O'Dell  wrote:
>> 2009/4/7 ron minnich :
>>> Can't remember if this one came up:
>>> $59. http://www.ubnt.com/products/rs.php
>>
>> Where do you find it for $59? Cheapest I can find from their page is $69.
>>
> yeah. I can't find that page again.
>
> Well, with this price going up at this rate ($10 in just a few hours)
> better order now!
>
> ron
>
>

Re: [9fans] yet another cheapo mips board

[Uriel]

For 37EUR you can get a more minimalist board:
http://landashop.com/catalog/routerboard-rb411-p-73.html

Still plenty of power to run Inferno...

uriel

On Fri, Apr 10, 2009 at 10:59 AM, Uriel  wrote:
> Very nice, found it in Europe for ~50 EUR:
> http://landashop.com/catalog/ubiquiti-routerstation-p-848.html
>
> And for a few EUR  more you can get the 'Pro' version with four
> Gigabit Ethernet ports and 256Mb of RAM:
> http://landashop.com/catalog/ubiquiti-routerstation-p-916.html
>
> uriel
>
> On Wed, Apr 8, 2009 at 1:13 AM, ron minnich  wrote:
>> On Tue, Apr 7, 2009 at 2:07 PM, Devon H. O'Dell  
>> wrote:
>>> 2009/4/7 ron minnich :
 Can't remember if this one came up:
 $59. http://www.ubnt.com/products/rs.php
>>>
>>> Where do you find it for $59? Cheapest I can find from their page is $69.
>>>
>> yeah. I can't find that page again.
>>
>> Well, with this price going up at this rate ($10 in just a few hours)
>> better order now!
>>
>> ron
>>
>>
>

Re: [9fans] exportfs security question

[Steve Simon]

> truerand() returns (at most) 32 bits of entropy, which gets pushed into
> srand() and then 32 bits of entropy are read back out... why not just use
> truerand() directly?

This bit I know, truerand() reads /dev/random (see cons(1)) and 
can only generate "a few hundred bits per second".

rand is pretty good (I think) but it is predictable, by seeding it from
truerand() the predictability is avoided.

-Steve.

Re: [9fans] exportfs security question

[Mechiel Lukkien]

On Fri, Apr 10, 2009 at 07:48:54AM -0400, erik quanstrom wrote:
> > We haven't brought up SSL yet, so Eve can read our exchanged random
> > numbers... now these values get shoved into SHA-1 (along with the 56 bits of
> > entropy from Kn derived from p9any authentication) before being used to make
> > the SSL secrets... but... that doesn't seem to matter much.  Eve sees the
> > first four, the last four, and knows 1/8th of the middle 8 bytes (p9sk1 gets
> > an 8-byte secret by unpacking a 7-byte DES key) of the input to the SHA-1
> > function, meaning...  Eve still only needs to do at most 2^56 SHA-1
> > operations to search for our SSL secrets [1]...  OK, so Eve can't have
> > precomputed tables to help her out, fair enough, but this still seems
> > dubious.
> > 
> > Subsequently, having done all of this, the secrets fed into the SSL stream
> > contain only 80 bits of entropy, which is itself somewhat small (esp.
> > relative to the ability of rc4 to use 128 or even 256 bit keys).
> 
> eve has to do zero computation to get at your plan-text stream.
> i think they call it transport security for a reason. :-)

he probably means eve as in eavesdropper.  alice, bob, eve & friends.

mjl

Re: [9fans] exportfs security question

[erik quanstrom]

> We haven't brought up SSL yet, so Eve can read our exchanged random
> numbers... now these values get shoved into SHA-1 (along with the 56 bits of
> entropy from Kn derived from p9any authentication) before being used to make
> the SSL secrets... but... that doesn't seem to matter much.  Eve sees the
> first four, the last four, and knows 1/8th of the middle 8 bytes (p9sk1 gets
> an 8-byte secret by unpacking a 7-byte DES key) of the input to the SHA-1
> function, meaning...  Eve still only needs to do at most 2^56 SHA-1
> operations to search for our SSL secrets [1]...  OK, so Eve can't have
> precomputed tables to help her out, fair enough, but this still seems
> dubious.
> 
> Subsequently, having done all of this, the secrets fed into the SSL stream
> contain only 80 bits of entropy, which is itself somewhat small (esp.
> relative to the ability of rc4 to use 128 or even 256 bit keys).

eve has to do zero computation to get at your plan-text stream.
i think they call it transport security for a reason. :-)

if you don't trust eve, then you can't trust /dev/truerand.  in fact,
why would an untrustable eve run the right exportfs?  but eve
doesn't need to work that hard.

it gets worse.  since ssl is part of a kernel device, eve gets to see your
keys anyway.  but eve doesn't need them.  since ssl is in the kernel,
eve sees the plan text side of the communication.

i think the network is more of a practical worry. 

- erik

Re: [9fans] extensions of "interest"

[John P. Cummings]

Skip Tavakkolian wrote:

ps, the quote is  "Simplify, then add lightness"

On Thu, Apr 9, 2009 at 3:30 PM, andrey mirtchovski
 wrote:


Is this sarcasm?


yes, but not addressed towards Mr. Chapman, bless his cars. glad at
least one person caught that.

internet is bizarro world.

  


according to wikiquote.org it is "Simplicate, then add lightness".
i had not heard it before; it's good.
  


i've always thought that quote was due to william bushnell stout, an 
aeronautical and automotive engineer.  whoever said it, it _is_ good.  
and worth remembering.


john cummings

Re: [9fans] exportfs security question

[Nathaniel W Filardo]

On Fri, Apr 10, 2009 at 02:08:25PM +0200, Mechiel Lukkien wrote:
> On Fri, Apr 10, 2009 at 07:48:54AM -0400, erik quanstrom wrote:
> > > We haven't brought up SSL yet, so Eve can read our exchanged random
> > > numbers... now these values get shoved into SHA-1 (along with the 56 bits 
> > > of
> > > entropy from Kn derived from p9any authentication) before being used to 
> > > make
> > > the SSL secrets... but... that doesn't seem to matter much.  Eve sees the
> > > first four, the last four, and knows 1/8th of the middle 8 bytes (p9sk1 
> > > gets
> > > an 8-byte secret by unpacking a 7-byte DES key) of the input to the SHA-1
> > > function, meaning...  Eve still only needs to do at most 2^56 SHA-1
> > > operations to search for our SSL secrets [1]...  OK, so Eve can't have
> > > precomputed tables to help her out, fair enough, but this still seems
> > > dubious.
> > > 
> > > Subsequently, having done all of this, the secrets fed into the SSL stream
> > > contain only 80 bits of entropy, which is itself somewhat small (esp.
> > > relative to the ability of rc4 to use 128 or even 256 bit keys).
> > 
> > eve has to do zero computation to get at your plan-text stream.
> > i think they call it transport security for a reason. :-)
> 
> he probably means eve as in eavesdropper.  alice, bob, eve & friends.

Erm, yes, that... the name collision didn't even occur to me.  Sorry. :)
--nwf;


pgpckIcQEXSEk.pgp
Description: PGP signature

Re: [9fans] exportfs security question

[Nathaniel W Filardo]

On Fri, Apr 10, 2009 at 11:25:02AM +0100, Steve Simon wrote:
> > truerand() returns (at most) 32 bits of entropy, which gets pushed into
> > srand() and then 32 bits of entropy are read back out... why not just use
> > truerand() directly?
> 
> This bit I know, truerand() reads /dev/random (see cons(1)) and 
> can only generate "a few hundred bits per second".
> 
> rand is pretty good (I think) but it is predictable, by seeding it from
> truerand() the predictability is avoided.

Be that as it may, we put in 32 bits and read out 32 bits and AFAICT the
rest of exportfs doesn't avail itself of rand().

--nwf;


pgpXaljqIKq9t.pgp
Description: PGP signature

Re: [9fans] a bit OT, programming style question

[john]

Eris Discordia wrote:
> And I haven't really ever used Plan 9 or "been into it." The
> no-herpes indicator is that strong. 

New, from 9fans Cinemas, the long-awaited summer blockbuster:
"An Unsurprising Truth", starring Eris Discordia

And don't forget the upcoming sequel, "Why The Hell Are You Even On
This List", with a cast of thousands, three hundred dancing rabbits, and
a world-class score (if you have a compatible audio device)!



John

Re: [9fans] a bit OT, programming style question

[J.R. Mauro]

On Thu, Apr 9, 2009 at 6:09 PM, Eris Discordia  wrote:
>> It only starts to balloon once you begin customizing bash.
>
> Have you customized your bash by aliases as long as tens or hundreds of
> lines? Now is it bash's fault you have defined an alias for something that
> ought to be a script/program in its own right?

No, bash's completion system is what's responsible for line numbers in
the thousands.

>
> --On Thursday, April 09, 2009 3:34 PM -0400 "J.R. Mauro" 
> wrote:
>
>>> No, it's very likely bigger. wc -l is lines of course, and I'm
>>> guessing each line is more than 1 character. However,
>>>
>>> $ set | wc -l
>>> 64
>>>
>>> I don't quite get that locally.
>>
>> It only starts to balloon once you begin customizing bash. I'm not
>> sure how rc handles functions, but the nice thing about zsh is that it
>> compiles them to bytecode instead of this insanity that bash employs.
>>
>
>
>
>
>
>

Re: [9fans] a bit OT, programming style question

[J.R. Mauro]

On Thu, Apr 9, 2009 at 6:34 PM, Eris Discordia  wrote:
>> this is the "space-shuttle dichotomy."  it's a false one.  it's a
>> continuum. its ends are dangerous.
>
> So somewhere in the middle is the golden mean? I have no objections to that.
> *BSD systems very well represent a silver, if not a golden, mean--just my
> idea, of course.
>
>> it is interesting to me that some software manages to run off both
>> ends of this continuum at the same time.  in linux your termcap
>> from 1981 will still work, but software written to access /sys last
>> year is likely out-of-date.
>
> While I won't vouch for Linux as a good OS (user-land and kernel combined) I
> understand what you see as its eccentricity is merely a side-effect of
> openness. Tighten the development up and you get a BSD-style system
> (committer/contributor/maintainer/grunt/user highest-to-lowest ranking, with
> a demiurge position for Theo de Raadt). Tighten it even further up with
> in-ken shared among a core group of old-timers and thoroughbreds transmitted
> only to serious researchers and you get Plan 9.
>
> You are right, after all. It all lies on a continuum. Actually, more tightly
> regulated Linux distros such as Slackware readily demonstrate that; they
> easily beat all-out all-open distros like Fedora (whose existence is
> probably perceived at Red Hat as a big brainstorming project).
>
>> your insinuation that *bsd is a real serious system and plan 9 is
>> a research system doesn't make any historical sense to me.  they
>> both started as research systems.  i am not aware of any law that
>> prevents a system that started as a research project from becoming
>> a serious production system.
>
> What I am insinuating is more like this: any serious system will sooner or
> later have to grow warts and/or contract herpes. That's an unavoidable
> consequence of social life. If you do insist that Plan 9 has no warts, or
> far less warts than the average, or that it has never seen a cold sore on
> its upper lip then I'll happily conclude it has never lived socially. And I
> haven't really ever used Plan 9 or "been into it." The no-herpes indicator
> is that strong.

So you're saying that I don't have a social life since I've never gotten herpes?

I suppose from your demeanor that we can compare you to, say, Windows ME?

>
>> i know of many thousands of plan 9 systems in production right
>> now.
>
> Good for you. Honestly.
>
> --On Thursday, April 09, 2009 11:06 AM -0400 erik quanstrom
>  wrote:
>
>> On Thu Apr  9 10:48:08 EDT 2009, eris.discor...@gmail.com wrote:
>>>
>>> Most of it in the 19 lines for one TERMCAP variable. Strictly a relic of
>>> the past kept with all good intentions: backward compatibility, and
>>> heeding
>>
>> [...]
>>
>>> Quite a considerable portion of UNIX-like systems, FreeBSD in this case,
>>> is  the way it is not because the developers are stupid, rather because
>>> they  have a "constituency" to tend to. They aren't carefree researchers
>>> with  high ambitions.
>>
>> this is the "space-shuttle dichotomy."  it's a false one.  it's a
>> continuum. its ends are dangerous.
>>
>> on the one hand, if you change things, the new things are likely
>> to be buggy.  on the space shuttle, this is bad.  people die.
>>
>> on the other hand, systems are not perfect.  and if the problems
>> are not addressed, eventually the system will need to much fixing
>> and will be abandoned.
>>
>> yet bringing a new system on line is an even bigger risk.  everything
>> is new simultaneously.
>>
>> it is interesting to me that some software manages to run off both
>> ends of this continuum at the same time.  in linux your termcap
>> from 1981 will still work, but software written to access /sys last
>> year is likely out-of-date.
>>
>> your insinuation that *bsd is a real serious system and plan 9 is
>> a research system doesn't make any historical sense to me.  they
>> both started as research systems.  i am not aware of any law that
>> prevents a system that started as a research project from becoming
>> a serious production system.
>>
>> i know of many thousands of plan 9 systems in production right
>> now.
>>
>> - erik
>>
>
>

[9fans] noweb and literal programming

[Rudolf Sykora]

Hello,

I've been thinking about 'well documented programs' and come across
the 'noweb' program.
Do you have any experience with literal programming and, particularly, noweb?
(I noticed at least rsc seems to have played with it back in the year
2000. He programmed some scripts to use the system in Plan9...)

Thanks
Ruda

Re: [9fans] noweb and literal programming

[J.R. Mauro]

On Fri, Apr 10, 2009 at 6:39 PM, Rudolf Sykora  wrote:
> Hello,
>
> I've been thinking about 'well documented programs' and come across
> the 'noweb' program.
> Do you have any experience with literal programming and, particularly, noweb?
> (I noticed at least rsc seems to have played with it back in the year
> 2000. He programmed some scripts to use the system in Plan9...)
>
> Thanks
> Ruda
>

Just curious... what's the relation to Cweb and Ctangle (the ones Knuth uses)?

>From what I've heard of those (even from Knuth himself) is that
they're too ugly to use very much, and fits well with Knuth's style,
which is mostly the "giant blob of code" style.

Re: [9fans] noweb and literal programming

[Chad Brown]

I believe that Cweb/Ctangle were `engineering tradeoffs' -- i.e.  
concessions to the large number of people who didn't care about the  
theory or the practice of programming and just wanted to use TeX  
(mostly AMSTeX) on whatever new system their math/physics department  
happened to buy that year.


On Apr 10, 2009, at 4:50 PM, J.R. Mauro wrote:

On Fri, Apr 10, 2009 at 6:39 PM, Rudolf Sykora > wrote:

Hello,

I've been thinking about 'well documented programs' and come across
the 'noweb' program.
Do you have any experience with literal programming and,  
particularly, noweb?

(I noticed at least rsc seems to have played with it back in the year
2000. He programmed some scripts to use the system in Plan9...)

Thanks
Ruda



Just curious... what's the relation to Cweb and Ctangle (the ones  
Knuth uses)?


From what I've heard of those (even from Knuth himself) is that
they're too ugly to use very much, and fits well with Knuth's style,
which is mostly the "giant blob of code" style.