Network

Another reason why I build software from source myself

Some yahoo at Debian found what he thought was a bug in OpenSSL, and decided to comment out some code without having any clue what purpose it served. That purpose was to seed a pseudo-random number generator with entropy from memory, specifically /dev/random. This only broke the cryptographic security of OpenSSL on Debian (and thus Ubuntu) while being mostly undetectable. It’s quite likely attacks of the same ilk were deliberately planted by various spy agencies.

This is just an extreme example of why I prefer to build open-source software from source code myself rather than trust blindly in some packager whose choice of compile-time settings almost certainly doesn’t match mine. I have a framework of makefiles that specify how each package is built from source (meta-makefiles, really). This includes checking for new versions of the package, setting configure options and make environment variables. For instance, to fetch the most recent version of OpenSSL, all I do is make sync-openssl; make openssl then as root run make install-openssl. The maintenance burden is low as I have been assembling these metamakefiles over the last 12 years, targeting Solaris and OS X. The end-result is a deterministic build according to my specifications.

My process would not ward against a malicious attack like Brian Kernighan’s notorious trusting trust attack, but it has served me well over the years.

Ethernet – accept no imitations

While reading an article about Brocade/Foundry’s product plans, I learned about Convergent Enhanced Ethernet (CEE), also known as “Data Center Ethernet”. As if Ethernet needed blessing from the price-gouging storage vendor community to enter the data center…

CEE sounds like just one more in a long line of failed “standards” like IsoENET that take Ethernet, find some supposed nit to pick with it, and add all sorts of baggage to address hypothetical requirements. In the case of IsoENET, it was jitter, and in the case of CEE, it is packet loss, never mind that function belongs to TCP at layer 4, not Ethernet at layer 2. It is a predictable result of the Fibre Channel community’s lame attempts to head off iSCSI by putting FCP directly over Ethernet (FCoE).

This basically reflects an attitude of “my traffic is so special, it can’t be allowed to mingle with unwashed Ethernet packets”, and reminds me of how France Telecom Labs circa 1996 was very proud to show a prototype of “World Wide Web without requiring the use of IP”, as if the fact the web uses IP rather than ATM was a barrier to adoption, rather than a success factor…

The reason why Ethernet is so phenomenally successful is that it is simple, easy to implement and cheap. Any attempts to add complexity will only delay time to market, limit economies of scale and add cost, until whatever comes out becomes just as expensive as the Fibre Channel ports and adapters the whole world is trying to ditch in favor of fast, inexpensive vanilla Ethernet. Then again vendors like Brocade grew fat on gouging Fibre Channel customers and hope they can reverse the trend of commodification and keep on with their little racket.

It’s just not going to happen, specially in a tough economic environment where IT expenditures are contracting and any attempt by vendors to foist their overpriced proprietary dead-end marketectures will be treated harshly by buyers.

Unbound from djbdns

I am experimenting with IPv6 at home using Hurricane Electric’s free tunnel broker. I had to upgrade my Cisco 877 router’s RAM, flash and software to get IPv6 support, and also my local caching DNS resolver, dnscache. There are IPv6 patches for djbdns, but since I installed them my DNS lookups seem slow. Using snoop and ethereal, it looks like the behavior of the server with or without the patches is quite different.

Considering the fact that djbdns has not had an official update since 2001, only collections of patches from third-parties, it was time to change, even though it was immune by construction to the Kaminsky bug. I opted for unbound from the same people who wrote the high-performance NSD server used on the RIPE root nameserver. It has a relatively simple architecture design for performance and security, and it supports DNSSEC, something that will become increasingly important.

While the configuration file format for unbound is simple, unlike the nightmare that is BIND, the devil in the details made the migration more painful than it ought have been, thanks in part to my split-horizon DNS configuration for machines on my local subnet. I don’t know if it is placebo effect, but my queries now feel faster.

US banks lag behind in secure email adoption

My banks send me monthly reminders when a statement is ready, but I have to log onto their site to actually get it. This is quite annoying, I would much rather have them simply attach the statements to the notification emails, but I can understand their security concerns. The current system does encourage bad habits that can be exploited by phishers, however.

One of my colleagues informed me that in Japan, banks will actually send them by email using S/MIME public key encryption. I have a S/MIME certificate courtesy of the Thawte web of trust (in fact I am also a Thawte WOT notary) but no US bank that I know of supports this. Secure email adoption is so low in no small part due to the NSA’s successful campaign to make encryption inconvenient to obtain. All major email clients support it (Outlook, Apple Mail.app, Thunderbird, and so on), but webmail users don’t even have the option. This is just another illustration of how the US is lagging behind Asia and Europe in Internet adoption.