Jeff Atwood just put up a post, complete with a catchy analogy, that provides a good pedagogic overview of branching and merging. Many aspects of these concepts were discussed in the comments, most providing support for the perspective that Branching Is Hard(TM). My own perspective is that one of the chief reasons this is 'all very difficult' is because individual developers only have exposure to branching in the scope of the entire project and that exposure is most often very limited. In the absence of explicit personal experience with managing branching and merging I think it will always be Hard. Queue extolling the virtues of distributed version control...
Coming late to the dVCS party, I discovered Mercurial (Hg) a few months ago. A dVCS like Hg allows you to have full version control over your own work; the prime benefit in this context, you can easily play with different branching schemes. You find out very quickly just how many 'parallel universes' you can juggle, or at least I did (with great power comes great...blah blah blah). In this circumstance, the individual developer can acquire experience with the complete process of managing branching and merging, which will help them grok the activities within the greater project context perhaps making the process Easier(TM).
I think the discussion of version control in the general context of software engineering is an interesting one, for more discussion check out some threads on Reddit (can't find the bloody one I'm looking for right now, argh!), this essay by David Wheeler (of Secure Programming for Linux and Unix HOWTO fame), and the Mercurial Book.
Wednesday, October 03, 2007
Development Multiverse
Friday, July 06, 2007
Taxonomy Work
Flipping through a slide deck of Steve Christey and Robert Martin's, Mitre CWE Being Explicit Slides (ppt) made me think of Dave Aitel's quip from a few days ago "Taxonomy = wrong" or put less, or more, banally by our man Mulder:
"We fail to anticipate the unforeseen or expect the unexpected in a universe of infinite possibilities we may find ourselves at the mercy of anyone or anything that cannot be programmed, categorized or easily referenced..."
I think it quite obvious that this is the position we'll consistently be at if we approach constructing and assessing systems with a semi-ordered list of instructions *cough*software security book*cough* in hand and less than half a clue.
Creating a taxonomy of vulnerabilities is but one aspect of attempting to understand software security, if efforts such as Common Weakness Enumeration were just about creating such a list then perhaps we can label the whole effort as misguided, but the stated process here is to develop understanding. When we have some basis for that, we can do something with it and then, hopefully, our software won't suck wet sweaty moose testicles, or at least as much as it does now.
CWE attempts to unifies a number of existing software security resources, some of my favourites being:
- OWASP Guide, CLASP, and most everything else...
Which is still just a small selection of the great software security resources out there, for further interest check out work by Brian Chess, Gary McGraw, John Viega, Steve Christey, and Robert Martin; I'm usually very impressed with all their efforts.
Monday, June 25, 2007
dmesg and OpenSSL speed pr0n
I installed a Soekris vpn1401 in my net4801 a couple weeks ago to improve the performance of the OpenVPN (SSL) and IPSec VPNs I have running over the wireless. This morning I decided to run '
OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007
deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by National Semi ("Geode by NSC" 586-class) 267
MHz
cpu0: FPU,TSC,MSR,CX8,CMOV,MMX
cpu0: TSC disabled
real mem = 133787648 (130652K)
avail mem = 114675712 (111988K)
...
hifn0 at pci0 dev 10 function 0 "Hifn 7955/7954" rev 0x00: LZS 3DES ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 11
...
# sysctl -a | grep crypto
kern.malloc.kmemnames=free,mbuf,devbuf,debug,pcb,routetbl,,fragtbl,,ifaddr,soopts,sysctl,,,ioctlops,,,,,iov,mount,,NFS_req,NFS_mount,
NFS_node,vnodes,namecache,UFS_quota,UFS_mount,shm,VM_map,sem,dirhash,,VM_pmap,,,,file,file_desc,,proc,subproc,VFS_cluster,,,MFS_node,
,,Export_Host,NFS_srvsock,NFS_uid,NFS_daemon,ip_moptions,in_multi,ether_multi,mrt,ISOFS_mount,ISOFS_node,MSDOSFS_mount,MSDOSFS_fat,MS
DOSFS_node,ttys,exec,miscfs_mount,,adosfs_mount,,adosfs_anode,,,adosfs_bitmap,,,pfkey_data,tdb,xform_data,,pagedep,inodedep,newblk,,,
indirdep,,,,,,,,,VM_swap,,,,,RAIDframe_data,UVM_amap,UVM_aobj,,USB,USB_device,USB_HC,,memdesc,,,crypto_data,,IPsec_creds,packet_tags,
1394ctl,1394data,emuldata,,,,,,,,,ip6_options,NDP,ip6rr,rp_addr,temp,NTFS_mount,NTFS_node,NTFS_fnode,NTFS_dir,NTFS_hash_tables,NTFS_f
ile_attr,NTFS_resident_data_,NTFS_decomp,NTFS_vrun,kqueue,bluetooth,bwmeter,UDF_mount,UDF_file_entry,UDF_file_id
kern.malloc.kmemstat.crypto_data=(inuse = 1, calls = 1, memuse = 1K, limblocks = 0, mapblocks = 0, maxused = 1K, limit = 19596K, spar
e = 0, sizes = (1024))
kern.usercrypto=1
kern.cryptodevallowsoft=0
kern.userasymcrypto=1
# openssl speed
...
OpenSSL 0.9.7j 04 May 2006
built on: date not available
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blow
fish(idx)
compiler: information not available
available timing options: USE_TOD HZ=100 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
md2 88.25k 189.38k 266.19k 296.55k 306.63k
mdc2 0.00 0.00 0.00 0.00 0.00
md4 642.82k 2348.02k 7230.63k 15670.35k 22294.59k
md5 563.68k 2022.73k 6286.69k 13357.90k 19464.88k
hmac(md5) 934.52k 3290.12k 8924.16k 16656.01k 21061.87k
sha1 540.19k 1713.66k 4316.22k 7282.86k 8415.84k
rmd160 416.16k 1356.93k 3403.01k 5638.49k 6821.26k
rc4 9863.87k 11587.07k 12052.14k 12217.07k 12118.70k
des cbc 1909.22k 2004.50k 2053.72k 2044.59k 2015.23k
des ede3 731.05k 753.26k 755.46k 763.26k 752.12k
idea cbc 0.00 0.00 0.00 0.00 0.00
rc2 cbc 1339.74k 1414.02k 1428.31k 1436.29k 1439.38k
rc5-32/12 cbc 0.00 0.00 0.00 0.00 0.00
blowfish cbc 3027.14k 3350.16k 3443.98k 3457.37k 3456.42k
cast cbc 3009.48k 3380.79k 3482.05k 3493.65k 3476.86k
aes-128 cbc 2784.76k 2956.69k 2964.86k 3009.17k 2959.56k
aes-192 cbc 2430.26k 2565.73k 2569.34k 2601.88k 2558.63k
aes-256 cbc 2163.65k 2262.30k 2266.64k 2298.75k 2276.51k
sign verify sign/s verify/s
rsa 512 bits 0.016715s 0.002043s 59.8 489.6
rsa 1024 bits 0.076623s 0.004701s 13.1 212.7
rsa 2048 bits 0.449728s 0.014178s 2.2 70.5
rsa 4096 bits 2.962890s 0.048354s 0.3 20.7
sign verify sign/s verify/s
dsa 512 bits 0.012400s 0.015442s 80.6 64.8
dsa 1024 bits 0.035831s 0.044040s 27.9 22.7
dsa 2048 bits 0.119420s 0.149021s 8.4 6.7
Very nice!
Friday, March 09, 2007
Wireless Channel Listing
...because there never seems to be one around when you need it most:
Channel 1 : 2412 Mhz 11bg Channel 36 : 5180 Mhz 11a
Channel 2 : 2417 Mhz 11bg Channel 40 : 5200 Mhz 11a
Channel 3 : 2422 Mhz 11bg Channel 44 : 5220 Mhz 11a
Channel 4 : 2427 Mhz 11bg Channel 48 : 5240 Mhz 11a
Channel 5 : 2432 Mhz 11bg Channel 52 : 5260 Mhz 11a
Channel 6 : 2437 Mhz 11bg Channel 56 : 5280 Mhz 11a
Channel 7 : 2442 Mhz 11bg Channel 60 : 5300 Mhz 11a
Channel 8 : 2447 Mhz 11bg Channel 64 : 5320 Mhz 11a
Channel 9 : 2452 Mhz 11bg Channel 149 : 5745 Mhz 11a
Channel 10 : 2457 Mhz 11bg Channel 153 : 5765 Mhz 11a
Channel 11 : 2462 Mhz 11bg Channel 157 : 5785 Mhz 11a
Channel 12 : 2467 Mhz 11bg Channel 161 : 5805 Mhz 11a
Channel 13 : 2472 Mhz 11bg Channel 165 : 5825 Mhz 11a
Now, if only the ath card in my Soekriswould associate in 11a mode reliably... finicky little buggers (b/g are NP). Next time I'll be sure to go to the extra effort to acquire ral cards... someone needs to start carrying them.
Thursday, February 01, 2007
Gone Indie
At the end of December I left my position with KPMG to concentrate on technical security consulting and my masters degree. This all leads me to announce the creation of a new corporate entity, and my security company:
Strange Research Corporation
There isn't much content up on the site yet as I'm still playing with the layout, but check it out!
Friday, October 27, 2006
Strange Assortments
Ah, the obligatory "it has been too long since I've posted anything" post... I try to approach posting by following the advise of my friend ex-P.F.C. Wintergreen, who usually detests blogs but has relented on this position as of late, and at least keep my posts somewhat oriented towards novel ideas. Sometimes it simply helps to keep writing.
I see that FX is posting at the SABRE Lablog, always interesting to read what he is thinking about or working on.
I don't often find software that is worth paying for outside of music tools and operating systems (donate!) but this is wicked cool diagramming software for OS X: omnigraffle. Go buy a copy and make your life prettier.
Haven't had much time for PDB lately, the whole school + work combination has been crazy busy. I started a project concerned with using a cVu 1000 from the dudes at cpacket to control the bandwidth usage of network flows. I have other more fun ideas for this device... suffice it to say that it is always fun to make networking products earn their rack space.
Sunday, September 24, 2006
Porting PDB to OpenBSD Act I Scene II
The need to run Matlab necessitated bringing my PowerBook back from the land of music and sound design... So, with a fresh install of Tiger I now have a box running an OS that implements divert sockets... Getting PDB up and running while my physical layer class works on examples of free space loss (and their arithmetic skills) seems like a great way to make use of the day.
Quick and dirty process to get PDB up and running on OS X:
- Step 0 - clean out bleeding edge cruft
- Step 1 - rbconfig.rb is broken by default in Tiger. Fix it.
- Step 3 - where, oh where is ruby.h?
ln -s /usr/lib/ruby/1.8/universal-darwin8.0/* /usr/lib/ruby/1.8/powerpc-darwin8.0/
Now we're ready to get to business with PDB...
The 'pdb' executable is actually a little shell script that has functions for adding/deleting ipfw divert rules and running pdb (nee iledit). I wanted to do a little simple testing with a clear text protocol so I changed the divert rules to accomodate passive FTP:
~/tools/src/pdb-0.0.1.bleeding-edge$sudo ./pdb
==> Adding ipfw divert rules...
00242 divert 4642 tcp from any to any dst-port 21 out
00243 divert 4642 tcp from any 21 to any in
==> Running pdb...
hi pdb-ruby.bundle
hi ip.bundle
(pdb) c
45 10 00 38 20 c5 40 00 E..8..@.
40 06 00 00 c0 a8 01 03 @.......
81 80 05 bf c0 60 00 15 .....`..
98 d3 dd f7 82 18 d1 3c .......<
50 18 ff ff 54 5f 00 00 P...T_..
55 53 45 52 20 61 6e 6f USER.ano
6e 79 6d 6f 75 73 0d 0a nymous..
..SNIP..
(pdb) exit
I am slain!
==> Removing ipfw divert rule...
~/tools/src/pdb-0.0.1.bleeding-edge$
Excellent! More experimenting to come... time to read some code.
