HTTP/2.0 and so on

More nerdery, I'm afraid.

As I've got my fingers in certificates and web servers, and as I have the vague justification that it's never cool when students point out some new security wrinkle I don't have on batten.eu.org, I had another trip around the update everything houses.

I've now added DNS CAA records, which specify which CAs should issue my certificates. The idea is that if someone manages to convince another issuer to issue a batten.eu.org certificate, there's a chance that either they'll notice they shouldn't, or that a third party will notice the mis-match.

I've also, after some thrashing around, brought up HTTPv2 support on my servers (required recompiling OpenSSL in all cases, as to do it properly needs >= 1.0.2 and most OSes still ship with 1.0.1).


The only warnings are that some elderly machines with modern browsers (ie, old crypto libraries, but new browsers that do HTTPv2) regard the cipher suite they end up negotiating as deprecated: all the Cipher Block Chaining ciphers are blacklisted in HTTPv2 in favour of Galois Counter Mode (or Counter Mode, more generally). I'm not going to fix this: people should not (H/T @gbrightn) use ancient operating systems, and anyway the cipher wouldn't be marked as blacklisted were it not for the presence of HTTPv2, so HTTP/1.1 would be perfectly happy using it.

The World. Grim.

I've remarked in various places that the Labour Party is currently in such disarray that if Theresa May kicked off a general election campaign with an hour of drowning kittens on live television she'd still win by 100 seats, or words to that effect. It's basically Leo in The West Wing: 

"To sweep all fifty states, the President would only need to do two things-- blow the Sultan's brains out in Times Square, then walk across the street to Nathan's and buy a hot dog."

Which is all good knockabout politics, although I don't hear anyone, _anyone_, whether in the pub or in a CLP meeting, who takes Labour winning in 2020 are requiring anything less than a multi-dimensional miracle. 

Unfortunately it does bring up one grim thought to depress me (and I've stopped listening to Today, that's how bad it is). At the moment, there is little the Tories need fear with regard to losing an election, and on the current trajectory with an increased majority, too. Abolish all free education past the age of 11? Fifty quid to see a GP? Declare war on Switzerland and make the eating of Toblerone an act of treason? Whatever: they still win in 2020. There is almost no policy, no matter how toxic, that the Tories could enact which gets the current Labour front bench into office. All the Tories have to do is kick back, chill their beans, and weigh the ballot papers. Labour need a manifesto which challenges UKIP to the right in the north and the SNP to the left in Scotland without alienating London, and even were the party functional and led by an proven election winner that is almost impossible. The more likely dogs' breakfast in the manner of 1983 just means a massive defeat followed by a generation of in-fighting while the Tories celebrate by roasting poor people over an open fire.

Suppose, just suppose, that instead of seeking the glory of a 150 seat landslide, May decided to double down and run on a manifesto which wins by 50 seats but makes her the Thatcherites' eternal heroine by giving party faithful as much as they can possibly have, consistent with winning an election. Not just the Human Rights Act, but tear up PACE, Freedom of Information and the Data Protection Act ("red tape", "stopping the police doing their job"). Not just index linking of university fees, but uncapped, and while we're at it not only grammar schools in every city but post-16 education chargeable via loans. And just for shits and giggles criminalise abortion, bring back workhouses and repeal the Discrimination Act. Whatever: a scorched earth, salted fields, roll the country back to before the Great Reform Act extinction burst of atavism. 

With a manifesto like that coming from the Tories, what would Labour do? Lose by fifty seats, that's what. Grim, isn't it?

Fwd: UK Citizens (etc): Please Register to Vote in the Referendum




http://www.aboutmyvote.co.uk

If you are a UK Citizen or otherwise entitled to vote in this month’s referendum, please do so.

http://www.aboutmyvote.co.uk

My generation (born in the mid 1960s) are the single largest cohort in our society, and we vote at high rates.  We’re the peak of the post-war boom, and we still go to polling stations.

We’re why you can’t buy houses; my wife and I bought a house, with a 100% mortgage, 11 months after we graduated, and we were hardly unusual: how many of you will be doing that?  

http://www.aboutmyvote.co.uk

We’re why your pensions are likely to be grim: we paid a few quid into schemes that were clearly insolvent the moment our parents stopped smoking, but many of us can retire on secure incomes in our early to mid sixties.   

And for the university educated amongst us, we got it free, too.  

http://www.aboutmyvote.co.uk

Governments pander to us, because we win and lose elections; unlike the cohort older than us, we switch our votes from election to election and are susceptible to retail politics (“what’s in it for me?”).  We are why inheritance tax is a major political issue: IHT isn’t about old people, it’s about their avaricious middle-aged children, like me.  And we are why crazy rising house prices are a popular thing; the houses we don’t own, our parents own.

We are why education policy is a minor footnote, because most of our children are coming towards the end of, if they haven’t already finished, their educations.

http://www.aboutmyvote.co.uk

The referendum’s outcome could change your lives.  Mine, not so much.    But my generation will be flocking to polling stations to vote, and our issues are radically different to yours.  You don’t trust your parents' opinion on Kanye West (808s and Heartbreak is my favourite, my children disagree) so why would you trust their views on anything else?  

http://www.aboutmyvote.co.uk

We’ve now seen two general elections which have been decided by an if not grey at least greying vote, while policies that affect you have been put through without any attention to what you think.  Sadly you (or at least people your age) just don’t vote in sufficient quantities to be interesting to politicians.  Change that.  Please.

http://www.aboutmyvote.co.uk

I don’t think anyone over 45 should be allowed to vote in the referendum, and I shall be voting strictly on the advice of my children.   But people like me, and indeed my parents (ie, your grandparents) could decide the outcome of this referendum.  Please don’t let us be the only voices that are heard.

http://www.aboutmyvote.co.uk

ian

(That was a referendum broadcast on behalf of the “For God’s Sake Ian, shut up” party).

VPN Key Exchange Enhancements in iOS 9.3, OS X 10.11.4 and Server 5.1 - Apple Support

On 15 Apr 2016, at 01:00, Ian Batten <xxx> wrote:

If anyone is keen enough to be running their own VPN server for Apple clients

More detailed examination with coffee in my hand (hey, I teach two lectures on IPSec and IKE, so this is _real_ _work_) reveals that on the down-low, Apple have re-written the entire opening phase of their VPN software and released it on two platforms over the past couple of weeks.

Historically, the Apple L2TP-over-IPSec implementation was as brittle as thin glass. The recommended deployment was talking to an Apple “Server” on OSX, but if you wanted to roll your own, it was very difficult to end up with an IKE configuration which would work with the Apple clients and also work with anything else. In essence, you had to configure the server with exactly the algorithms used at each phase by Apple, and none others: if you so much as mentioned an algorithm the clients didn’t support, the whole thing collapsed. I don’t have anything other than Apple kit in my mobile VPN estate so this didn’t matter to me, but I gather from former colleagues that using the Apple VPN client and the Microsoft VPN client into the same server is the best tool in your Cisco’s salesman’s box to convince you to just buy the end-to-end Cisco solution. Which Apple kind-of admitted by shipping the Cisco VPN client, branded, as a standard part of iOS (I think I’m right in saying that it’s the only piece of iOS as installed on a new device which has anyone else’s branding on).

The new stuff is completely different. You can turn on all the algorithms you like, and the Apple clients (a) in main mode, negotiate a sensible mutual combination of algorithms and use those for the rest of the exchange and (b) more impressively, in aggressive mode (where the two ends need to know in advance what algorithms are in use, as there’s no “what has and encryption do you fancy?” phase) it steps through a sequence of proposals to try to find one that works: that’s not fast, but at least it works. So you can turn on the offer of algorithms that Apple don’t support yet (large DH groups, EC crypto, SHA512, that sort of thing) and leave them there waiting for the clients to catch up, and for use by more capable clients.

There’s some other changes which aren’t as easy to analyse. The negotiation of PFS has definitely changed: it used to be that if you asked for it on the server, the client dropped the connection, now you can have it enabled with a group selected. But it’s not obvious whether it’s actually respected: since you can ask for crazy groups (6144 bits) or for things that don’t appear to be supported anywhere else in the Apple client (EC) and it still “works”, the implication is that the client is just doing a better (or worse, depending on your view) job of negotiation and is not using PFS even though it’s offered. I’m not sure how to check this. The packet sequence is the same, and although the contents are different they are encrypted: I’d need to find a way to get hold of the Phase 1 keys and use them to decrypt the Phase 2 packets in order to check. My gut feel is that Apple haven’t added PFS, they’ve just fixed the negotiation so it’s rejected cleanly.

It’s interesting that there’s a paper which raises concerns about widely deployed IPSec configurations, and within six months Apple are fielding a complete suite (they’ve made the same changes to the server, but I’m not using that code) of changes to close the whole issue down. They are playing hardball with the US government.

ian

VPN Key Exchange Enhancements in iOS 9.3, OS X 10.11.4 and Server 5.1 - Apple Support


If anyone is keen enough to be running their own VPN server for Apple clients, it’s worth noting
that as of the latest bits (10.11.4 OSX, 9.3 iOS) you can now use larger DH groups and more 
modern hash and encryption algorithms for IKE Phase 1:

https://support.apple.com/en-gb/HT206154

You were previously restricted to DH Group 2 (1024 bits), with SHA1 or MD5, and 3DES.  This was a 
matter of some concern following the publication of "Imperfect Forward Secrecy: How Diffie-Hellman 
Fails in Practice” [1], which implied that brute-force attacks on the 1024 bit group were realistic,
plus the usual annoyance of 3DES being slow on general-purpose hardware.

There’s not been the same changes in Phase 2, so you are still restricted to using SHA1 for packet 
authentication rather than SHA256 (or at least, that appears to be the case talking to my router, a
Mikrotik running 6.34.2).

I didn’t see any announcement of this, and I only stumbled over the Apple support document while
looking for something else.   It does seem that Apple are closing off weaknesses that require
a state actor as your opponent.

I’ve tested this with iOS 9.3.1 and OSX 10.11.4.  There doesn’t appear to be a performance penalty,
and there’s a substantial security benefit in using a larger DH group for Phase 1 (if you think your
opponent is a state-level actor, that is).

ian

[1] https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf

The myth of operational security

One day, I am going to get around to writing my magnum opus on the mistaken beliefs that some security people have about threat actors. But today, I’m going to consider one of them: the terrorist with perfect operational security.

There are a whole range of arguments which assume that there is no point is society adopting mechanisms to attempt to defend itself, because our enemies have perfect operational security. There is no point in intercepting communications because they all use encryption, both effective algorithms and with flawless security around key management (a feat few national agencies have managed). There is no point trying even traffic analysis because they all use TOR with flawless, error-free precision (even though there is ample reason to believe this is very difficult). There is no point using ANPR because all criminals drive stolen cars with false plates (although this weekend’s Paris attacks used hire cars). And so on.

There are good reasons to be wary of security service claims as to the efficacy of their boxes of tricks, and certainly we need to balance civil liberties and security agendas. We need to do this all the more in the aftermath of appalling events as happened in Paris this weekend. But we need good arguments. Arguments which presume that terrorists are criminal masterminds with not only access to, but the skills and discipline to use effectively, top-quality crypto and therefore interception is pointless are just wrong. Terrorists have many things to be doing while planning an outrage, and they clearly are not communicating using perfectly-used one time pads.

The Gang That Couldn't Shoot Straight

The most important thing that Labour can do in 2015 is get elected in 2020.  As my constituency secretary says, it’s going to be hard.  It’s going to be a challenge.  It’s going to involve discipline, focus and political skill.  

So what the hell happened last night?  Not only did George Osborne set a trap for Labour, he actually wrote an article about the trap, clearly and unambiguously, and published it in the Guardian the previous morning:

Not just some doublespeak “Don ’t throw me in the briar patch, Brer Rabbit” coded message, which the naive or deluded might struggle to understand, but in words of if not one at most two syllables.  He pretty much spelt out what amounts to a plan to either leave Labour split into two parties, or internally divided to the point of irrelevance, between what one might term (to take the language of German green politics, themselves no strangers to futile opposition) “realo” and “fundi” strands.  He’s encouraging Labour MPs, perhaps MPs who see politics as government, rather than a Sealed Knot Society re-enactment of the Winter of Discontent,  to look up “Limehouse” in their A to Z.  This is not the subtle dark arts that we provincials can neither know nor understand, this is stuff so obvious that there are West Wing episodes about it.  A “realo” Labour offshoot, or indeed the “realo” phoenix emerging from the smoking ruins of a divided party, might be able to win in 2030, but Osborne doesn’t care: he’s looking straight at getting into office in 2020 and doesn’t much care what happens after he wins a second term in 2025.  And by God he’s doing a good job.  You can admire the execution even if you despise the intentions.

Harriet Harman, because she’s clever and has been around parliament long enough to know how things work, saw the trap and did the only thing she could do in that situation, which is to order abstention.  Vote for the budget and Labour are Tories attacking the poor, vote against the budget and the next five years are a re-run of 2010-15, all talk of Labour’s mismanagement of the economy, excessive spending and building of a client state.  Cameron’s speeches almost write themselves, to the point that he’d have a big key on his computer marked “Greece” and another marked “Syrzia” to avoid having to type them in full each time.  “Banks closed, pensioners unable to buy food: this is what happens when welfare outstrips revenue”.  It would be nonsense, of course, but it would be politically devastating, putting Labour back to 2011 but now out of office for longer, having to fight on the economy and being unable to be heard on anything else.  Cameron would be able to give Neil Kinnock’s “scurrying around in Taxis” speech, with minor modifications, every week.

This was such obvious politics from the Tories that even Tom Watson, rarely a man to pass up on an opportunity to get on the telly being contrary, saw it for what it was and abstained.  The choice is between harmful gesture and galling but ultimately harmless abstention: the point of being an MP, rather than a ranty bloke in a meeting, is knowing when to shoot, and when to keep one’s powder dry.  

So what did the self-indulgent, ill-disciplined, suicidal 48 do?  For the sake of a moment’s futile self-righteousness, they made Labour look split, incompetent and incoherent.  They made it clear to Harman, and by extension any future Labour leader, that they reserved the right to be disloyal at the drop of a hat, to make gestures that will have no effect beyond showing the willingness to look like a rabble for the sake of two minutes of glory in front of their own supporters.  Abstaining has no political cost: if challenged in twelve months time, “I was following the line of the then leader for the sake of avoiding a damaging split right after a bruising election” satisfies all but the most irreconcilable headbangers.  Not a single child will be fed, not a single family will have their benefits restored, as a result of last night.  But as a free gift to the Tories, it makes a Labour government in 2020 that little bit less likely, and that Labour government in 2020 is the only effective help that those in poverty can look forward to.

Some Tory said last night that it’s impressive to have a leadership crisis when you don’t have a leader.  They did not mean this kindly. When Pierre Bosquet wrote of the Charge of the Light Brigade that "C'est magnifique, mais ce n'est pas la guerre: c'est de la folie" he was at least admiring of the bravery and sacrifice of the men; this is beyond that.  This is the sort of stuff that the Tories dream of: a majority, a divided opposition and a leaderless Labour Party ripping itself to pieces.  They could ram through legislation criminalising the consumption of coffee and declaring war on Sunderland and no-one would notice.

If this is what the next five years are going to be like, Frances Osborne should nip next door right now and start measuring up for curtains.  What sort of smoking ruin of a party is the next leader, and worse the next leader but one, going to inherit?

A Labour Government in 2020.  Surely to God that’s the main objective?  Please?

ian

"The Imitation Game"


In case anyone is taken with an urge to go to the cinema to see Benedict Cumberbatch giving us his Alan Turing, I would suggest that those with a knowledge of his life either suspend their disbelief or don’t go.   As a film in its own terms it’s not bad; crypto hardware nerds will appreciate the appearance of Bletchley’s bombe rebuild as a prop and an (unremarked) set of Zygalski Sheets [1] being used, there aren’t too many anachronisms to set your teeth on edge (although I’m pretty certain that senior military officers born in 1881 didn’t go around saying “you’re fired” to people) and both Benedict Cumberbatch and Keira Knightly are more than competent.

But the distortions of the events are very substantial, both in terms of how Enigma was broken (unsurprisingly, as this isn’t a documentary) and in terms of the biographical details of his and other’s lives (which is slightly more surprising).  Some of it’s just sub-McKee [2] “story arc” stuff.  Joan Clark, played by Knightly, and others are shown as being recruited via some gambit involving crossword puzzles, when in fact Clark and most of the other later arrivals were simply recommended by their tutors and supervisors; she’d been taught by Gordon Welchman (who is  completely written out of the story, oddly).  Some of it is rather more substantial, and rather odd: there is a strange sub-plot which implies that the security services knew about John Cairncross (“The Fifth Man” in the Burgess-Maclean-Philby-Blunt ring) and used him as a back-channel to Stalin; to describe that as unlikely  and unsupported is to be generous.

Were I a relative of Alistair Denniston I’d be upset, as he is shown as a petty martinet and vindictive incompetent, which (so far as one can tell from published sources) was not the case.  Peter Hilton (later Mason Professor of Pure Mathematics at Birmingham, I see) is shown working on Enigma prior to the development of the bombe; the first bombe went into use in late 1940 and Hilton, only 18, didn’t arrive at Bletchley until 1942.    Similarly, Jack Good didn’t arrive until  mid-1941, long after the bombe’s development.  

Andwere I Polish I’d be very upset indeed, as their massive contribution to Enigma is completely bypassed.


GNU emacs on OSX 10.9: fix for runaway CPU

There's a fairly well documented, and rather annoying, bug in Emacs 24.3 on OSX 10.9. Under some circumstances it either consumes a lot of memory and CPU and starts to run very slowly, or it causes distnoted to do likewise. It happens particularly after sleep and wake-up, and if distnoted is the victim it's usually enough to get the fans to come on and stay on. It happens to me roughly once a week. The bug is present in the binaries available from http://emacsformacosx.com.

There is a patch:

It's apparently incorporated in the 24.4 pre-tests and nightlies, if you like to live dangerously.

I've applied the patch to a set of clean 24.3 sources and compiled it on 10.9.4 with the latest version of XCode, to get the fix without any other changes.

If anyone needs the binaries:

http://www.batten.eu.org/~igb/emacs-24.3-leakpatch-mavericks.tar.xz

SHA256 hash [1] is f94c2f9dbf40ff42dd8ee41ce7fab4e1f5208c2178aa99ab8a8344560e49d41c

Just untar it and move the resulting Emacs.app directory to /Applications or wherever you keep such things. The OSX tar command now automagically handles .xz.

Aficionados of the ludicrous bloat of modern software will have their prejudices confirmed upon learning that using a good compression algorithm, the installation kit (ie a tar of /Applications/Emacs.app) is 100MB.

ian

[1] openssl dgst -sha256 -hex < emacs-24.3-leakpatch-mavericks.tar.xz

A Horrible Battery Warning

A colleague of mine started talking about having resurrected an old Olympus OM-10 which his father had abandoned in the 1990s.  Sparked by that, I decided to check what state my OM1n and OM2 were in.  I'd last used them regularly in about 1994, and I was pretty certain that the batteries hadn't been changed since then.  

The OM2 was fine.  The battery compartment opened up, and a pair of spare silver oxide batteries that I had in the case turned out to be perfectly sound.  The camera fired straight up.  I'd had it serviced shortly before it stopped being used, so the batteries in the camera and the spares probably dated back about 20 years.  That the fresh ones still worked was pretty miraculous (and I've ordered a new pair to be sure),  but the ones in the camera hadn't come to too much harm.



Luckily, the seepage was into the interface between the two batteries, rather than into the camera itself.  With new batteries the metering is at least internally consistent and appears to give sensible readings, and dry-firing the camera shows that slow shutter speeds are slower than fast shutter speeds.  The auto seems to open for longer the less light there is.  Overall, it looks like the camera's sound (given it was made in 1978 this is rather nice).

The OM1n, however, is a bit more serious.  The battery that uses is a 1.35V  mercury cell which is now unobtainable, but more seriously the battery hatch is jammed solid.

Gingerly I removed the base of the camera


By the time I took this photograph I had cleaned the battery compartment, but the original state of the battery was pretty grim.


The rectangle in the first picture is the impression left by the contact strip.  Given it's a mercury battery and mercuric oxides are nasty stuff I washed my hands very carefully after handling it.  Unfortunately, the gunk from the battery has gone into the threads of the battery hatch, which is still jammed.  People on t'internet recommend all sorts of caustic options, but initially I'm just soaking it in some penetrating oil to see if it will free off.  In the picture below the oil has already cleaned off the worst on the inner face of the hatch, but the threads are still resolutely jammed.

 Update: an hour of soaking and it could be opened, with the threads not looking in too bad a state.


Update update: with the help of the Small Battery Company, I now have a Wein MRB625, which is a weird Zinc-Air replacement for the banned mercury 625 1.35V battery.  It's not a long-term solution as apparently it only lasts a few months; Zinc Air batteries use oxygen from the air to provide a lot of power for hearing aids, which is fine, so long as you want the power to be continuously developed.  However, SBC also stock a converter to allow a modern 1.55V 386 battery to be stepped down to 1.35V, while fitting into a 625 formfactor.  Assuming the first few films through the OM1 check out OK, I'll get one of those.