* Posts by Mr Spuratic

13 posts • joined 11 Nov 2010

Take the bus... to get some new cables: Raspberry Pi 4s are a bit picky about USB-Cs

Mr Spuratic
Thumb Up


No complaints here, braided cable like the flex on an iron, single piece rubber housing/strain-relief.

100MW bit barn farm in Ireland faces planning appeal from – yep – same guy who helped sink Apple's application

Mr Spuratic


All of which is easily disproved by Eirgrid's "All-Island Generation Capacity Statement 2016-2025", the 206 page Environmental Impact Statement which includes Flood Risk analysis (its proximity to the river makes that mandatory in Wicklow), and the 520MW expansion to the Arklow wind farm.

The main source of waste heat appears to be McDonagh himself.

The site happens to have 100MW capacity, the data center design peak load is 60MW according to the application. How exactly does one heat 312,000 homes (with <200W each) in a county with 50,000 homes?

Apple's fruitless rootless security broken by code that fits in a tweet

Mr Spuratic

Re: Question

Yes, there is no pipe.

1&>- causes FD 1 (stdout) to be closed, but not to save the user from noise, this is setuid hacking 101. With FD 1 closed, the next call to fopen() will reuse the now freed up FD 1, so output intended for the user will instead end up in the opened file (disk device), effectively junking it. See pages 53-57 of Esser's paper linked from the article.

(The "[n]>&word" form is for duplicating FDs, with "-" as special case for closing the FD.)

Google's SHA-1 snuff plan is catching up with Microsoft, Mozilla

Mr Spuratic

Re: Technical pedantry

Yes, unqualified "brute force" is not the proper term here, I mean the (probably) expensive computation involved in attacks similar to that you describe. This will be by definition better than exhaustive brute force, if and when the cat is let out of the bag.

Since the collision attack you describe was used in the 2009 hashclash MD5 attack it is no longer as trivial, CAs must use random serial numbers. My understanding is that further increasing signing-time entropy would have provided continued protection, which is why I'm hoping Santa Claus will bring a second-preimage attack this year.

Mr Spuratic

Technical pedantry

SHA-1 is not a hash and a cipher, it is only the former.

It is not universally being snuffed out, yet (witness its continued existence in TLS ciphersuites for integrity checking, and as a HMAC).

The issue here is that its use in certificate signatures (sha1WithRSAEncryption) does not offer the required safety margin for something that is effectively a long term credential. Or more precisely it can probably be brute forced for a moderate outlay within its validity period.

Facebook farewells flaky SHA-1

Mr Spuratic

Crypto pedantry

Both articles conflate two distinct uses of SHA-1. The CAB Forum are largely concerned with SHA-1 as used in certificate signatures (formally sha1WithRSAEncryption). Separately, SHA-1 or SHA-2 are used in a TLS cipher as a message authentication code (or more correctly, HMAC). HMAC-SHA1, like other HMACs, is not susceptible to collision attacks. That said, RFC 7525 recommends only SHA-2 using ciphers, but leaves SHA-1 using ciphers unchanged (and still mandatory for interop).


Get coding or you'll bounce email from new dot-thing domains

Mr Spuratic

Re: DNS and hyphens

I'm talking about ASCII 0x2D, strictly IA5 "hyphen (minus)", informally "dash", and what's allowed in the "ASCII" subset letter-digit-hyphen, as historically used in DNS labels. A feature of IDN, which presumably justifies its complexity, is that it is backward compatible with this (ignoring the fact that a label is simply an octet sequence and technically need not be 7 bit ASCII).

One (my) interpretation of the above statement from the article is that the hyphen/dashes in the ACE "xn--" prefix or separator are going to cause problems. The encoded value cannot contain either a leading or trailing hyphen/dash (see RFC 3492 section 5), so where's the new problem?

There are other far less plausible (to me) interpretations, possibly involving systems that decode IDNs and reject dashes for some reason.

FWIW, valid IDN encompasses a large subset of Unicode, including all the dashes you might need or want. Further reading: Unicode Consortium IDN FAQ, reports TR36 & TR46, and the IDNA2008 RFCs 5890-5894 (get cracking, it's less than 5 hours until beer o'clock, this will be on the test ;-)

Mr Spuratic

DNS and hyphens

I'm having difficulty with the intent of this statement:

"[...] systems will often simply reject emails that don't work within the old DNS model - refusing to allow dashes for example."

The dash/hyphen has been allowed in DNS labels since forever (RFC882, 1983), the ACE form of an IDN breaks no new ground here. I've been involved in email administration for many a year, and I can't say I remember a single incident where a (valid) hyphen in a domain caused a problem. Hard-coded TLD "validation" or logic is a different problem.

Also, the IETF Email Address Internationalization working group and RFC6530 (and friends) seems to have escaped mention.

Mr Spuratic

Re: Gmail?

Sub-addressing, sendmail calls it "plus addressing", it's been around since at least sendmail 8.36 (early 1993) this is far from a Googlism. The RFC821 spec for the "local part" to the left of the @ is surprisingly loose, and most systems will choke on one thing or another.


systemd row ends with Debian getting forked

Mr Spuratic

Re: What is systemd

This is under active development: http://uselessd.darknedgy.net/

There are no doubt other efforts too.

Thanks for nothing, OpenSSL, grumbles stonewalled De Raadt

Mr Spuratic

Re: Theo's previous response when asked if he'd like to be on a mailing list


OpenSSL's timeline, that list was notified on 2014-06-02.

OpenSSLs "official reason" for this is there too, it's because

they're not on os-distros, see MarkJCox's post @08:53.

(and there's a fine flame war in the comments there too)

Meantime, Theo cranks it up a gear [NSFW] in openbsd-misc@


German 'hacker' uses rented computing to crack hashing algorithm

Mr Spuratic

Neat hack, misleading headline

SHA-1 wasn't designed to be slow, it was designed to be "cryptographically secure". This is why proper password implementations which use any type of hashing have multiple rounds and salt ("PBKDF" and "password strengthening" are terms associated with these).

Read http://www.akkadia.org/drepper/SHA-crypt.txt for a real password implementation (which uses SHA-2 rather than SHA-1, but the principle is the same).

5000 rounds + 16 characters of salt makes brute-force a *lot* harder. Approx 2^108 times harder, if you don't have the salt, and only ~2^12 if you do (making a 2 hour exercise into a ~12 month exercise). I've read the results, the input file had one hash round.

I see a neat hack (nicely documented too) showing what you can do with EC2, and a misleading headline... "crack sha-1 hashes" != "crack sha-1 hashing"

Wake me up when someone uses EC2 to find useful SHA-1 collisions :)

How I built a zero energy cost, zero carbon home server

Mr Spuratic

Sheeva plug

The Sheevaplug can push the USB to 750mA, above the 500mA per-spec. I run a 500GB Toshiba bus-powered disk directly on mine. I understand it's the startup current which is usually the issue, rather than normal running.

I get the odd glitch (all clear for ~5 months now) which I'd always put down to brownouts. Disk momentarily disconnects and reconnects.

However, many people report PSU issues (the melty or magic-smoke types) with these, and bus-powered drives are implicated.


Biting the hand that feeds IT © 1998–2019