sferik has quit [Quit: Computer has gone to sleep.]
sferik has joined #rubygems-trust
gcoderre has joined #rubygems-trust
gcoderre has quit [Quit: gcoderre]
bradland has quit [Read error: Connection reset by peer]
bradland has joined #rubygems-trust
chemosh has quit [*.net *.split]
ldk has quit [*.net *.split]
oddmunds has quit [*.net *.split]
sferik has quit [*.net *.split]
drbrain has quit [*.net *.split]
alexspeller has quit [*.net *.split]
tarcieri has quit [*.net *.split]
samkottler has quit [*.net *.split]
lmarburger has quit [*.net *.split]
jstr has quit [*.net *.split]
nirix has quit [*.net *.split]
brownies has quit [*.net *.split]
pietr0 has quit [*.net *.split]
billdingo has quit [*.net *.split]
havenn_ has quit [*.net *.split]
qmx|away has quit [*.net *.split]
conner has quit [*.net *.split]
Antiarc has quit [*.net *.split]
autumn has quit [*.net *.split]
Leeky has quit [*.net *.split]
brycek has quit [*.net *.split]
raggi has quit [*.net *.split]
dbussink has quit [*.net *.split]
indirect has quit [*.net *.split]
ged has quit [*.net *.split]
Mopman has quit [*.net *.split]
calmyournerves has quit [*.net *.split]
jamesgolick has quit [*.net *.split]
ereslibre_laptop has quit [*.net *.split]
bradland has quit [*.net *.split]
teancom has quit [*.net *.split]
kseifried has quit [*.net *.split]
dstufft has quit [*.net *.split]
raz has quit [*.net *.split]
sj26 has quit [*.net *.split]
cschneid has quit [*.net *.split]
namelessjon has quit [*.net *.split]
whitequark has quit [*.net *.split]
manveru has quit [*.net *.split]
ldk has joined #rubygems-trust
raz has joined #rubygems-trust
chemosh has joined #rubygems-trust
cschneid has joined #rubygems-trust
whitequark has joined #rubygems-trust
ereslibre_laptop has joined #rubygems-trust
theartisan has joined #rubygems-trust
bradland has joined #rubygems-trust
pietr0 has joined #rubygems-trust
calmyournerves has joined #rubygems-trust
brycek has joined #rubygems-trust
dbussink has joined #rubygems-trust
sj26 has joined #rubygems-trust
kseifried has joined #rubygems-trust
samkottler has joined #rubygems-trust
tarcieri has joined #rubygems-trust
Leeky has joined #rubygems-trust
Mopman has joined #rubygems-trust
nirix has joined #rubygems-trust
brownies has joined #rubygems-trust
conner has joined #rubygems-trust
lmarburger has joined #rubygems-trust
oddmunds has joined #rubygems-trust
alexspeller has joined #rubygems-trust
manveru has joined #rubygems-trust
raggi has joined #rubygems-trust
dstufft has joined #rubygems-trust
namelessjon has joined #rubygems-trust
indirect has joined #rubygems-trust
havenwood has joined #rubygems-trust
teancom has joined #rubygems-trust
autumn has joined #rubygems-trust
ged has joined #rubygems-trust
jamesgolick has joined #rubygems-trust
billdingo has joined #rubygems-trust
qmx|away has joined #rubygems-trust
Antiarc has joined #rubygems-trust
Antiarc has joined #rubygems-trust
Antiarc has joined #rubygems-trust
havenwood has quit [Remote host closed the connection]
havenwood has joined #rubygems-trust
havenwood has quit [Ping timeout: 252 seconds]
havenwood has joined #rubygems-trust
qmx|away is now known as qmx
ezkl has joined #rubygems-trust
qmx is now known as qmx|away
<raggi>
kseifried: pong
<raggi>
kseifried: and ping, heh
<kseifried>
whut
<kseifried>
there we go
<kseifried>
?
<raggi>
kseifried: hey, sorry
<raggi>
kseifried: i did the releases for those CVEs
<kseifried>
which ones?
<kseifried>
I think I'm on like CVE #10 or 12 today =)
<raggi>
kseifried: the two rack ones, 262 and 263
<kseifried>
ah ok
<kseifried>
on oss-sec?
<raggi>
sent mails to oss-security too, but it looks like they're in the moderation queue
<kseifried>
ahh yeah
<kseifried>
you're not subscribed? =)
<kseifried>
I'm not gonna make vdanen approve so I'll see tomorrow
<kseifried>
raggi, : can you cc me a copy?
<raggi>
yep
<kseifried>
thanks
<kseifried>
can I consider it public and do it in our bz publicly?
<raggi>
sent, yes
<raggi>
bz?
<raggi>
yes
teancom has left #rubygems-trust ["Leaving..."]
<kseifried>
this way future kurt will swear at present kurt less
<kseifried>
moar ruby bugs!
<raggi>
squish squish
<raggi>
so
<raggi>
i found out today that the timing attack had been reported by coda hale about 3 years ago, but it was not handled or reported anywhere else then
<raggi>
i even responded to the thread, but i was naive and stupid then
<kseifried>
haha
<kseifried>
this is one rerason to get CVE's
<kseifried>
provides a record/ease of search
<tarcieri>
kseifried: so uhh, I went by bascule on #linux
<tarcieri>
remember that?
<kseifried>
also puts it up one a TON of radars
<kseifried>
dude
<kseifried>
I vaguely rmemeber what I had for breakfast
<tarcieri>
lol
<kseifried>
if I think for a minute
<tarcieri>
k
<tarcieri>
do you remember Innocent1?
<tarcieri>
lol
<kseifried>
vaguely
<kseifried>
I remember treed
<tarcieri>
he took over the channel after Maelcum left
<kseifried>
I thought maelcum was treed?
<tarcieri>
and was like some kind of insane nazi dictator
<tarcieri>
yeah
<tarcieri>
Tracy Reed
<kseifried>
yah
<tarcieri>
right?
<kseifried>
yeah
<kseifried>
went to mp3.com or something
<tarcieri>
yeah
<tarcieri>
do you remember straylight.ultraviolet.org?
<tarcieri>
lol
<kseifried>
vaguely
<tarcieri>
lol
<tarcieri>
I remember you bro, although... somewhat vaguely
<kseifried>
sorry the last month has been especially crazy
<tarcieri>
your first name's Kurt right?
<kseifried>
yah
<kseifried>
kurt.seifried.org, etc
<kseifried>
all the same
<tarcieri>
so says ircname
<tarcieri>
heh
<tarcieri>
yeah in the before time, in the long long ago
<tarcieri>
when I had to set up chat and pppd
<tarcieri>
fun
<kseifried>
oh got pppd
<kseifried>
which was better than slip
<tarcieri>
and I was running Slackware 2.3 with a Linux 1.2.8 kernel with a.out and libc5
<kseifried>
my kids will never know network setup :P
<kseifried>
just plug it in, turn it on, poof! it works
<tarcieri>
lol
* raggi
has serious deja vu
<raggi>
didn't you two have this conversation earlier this week?
<tarcieri>
yeah, a bit
<tarcieri>
just double checking
<tarcieri>
heh
<raggi>
pretty sure it started the exact same way
<tarcieri>
I asked kseifried about Scrye, heh
<tarcieri>
I think I'm still on that channel too
<tarcieri>
or maybe not
<raggi>
kseifried may have said something about forgetting what he had for lunch instead of for breakfast, but other than that
<raggi>
hehe
<tarcieri>
kseifried: you know Scott Baron right?
<tarcieri>
wtf was his IRC name
<kseifried>
well it's confusing too becuase I eat two meals a day usually
<tarcieri>
he's on Twitter as @rubyist
<tarcieri>
oh right, Kain
<tarcieri>
he was like... Rails core really early on
<raggi>
i just blocked out the entire day for documentation tomorrow
<kseifried>
and i tend to eat a breakfast style meal maybe 2-3 times a week
<tarcieri>
I remember him being all into Python super early on
* raggi
feels burned
<tarcieri>
like 1996
<kseifried>
raggi: hahaha yeah I wish I could, to many fires to put out
<raggi>
kseifried: i had several p0 and p1's at work this week too
<raggi>
er, actually, no p0's
<raggi>
but still
<raggi>
those were actually much easier to deal with than the rack stuff
<raggi>
releasing 5 versions is arduous
<raggi>
even though almost all of the actual file release and shipping process is automated now
<raggi>
problem is, rails 2.3.x depends on rack 1.1.x, so no EOL for that shit for a while yet
<raggi>
oh fuck
<raggi>
i forgot to backport the JSON cookie coder to 1.4.x
<raggi>
oh well
<kseifried>
huh
<kseifried>
so the rack patches aren't complete?
<raggi>
they are
<raggi>
that oversight has no impact on security
<kseifried>
ah ok
<raggi>
i wanted to backport the json cookie coder to the 1.4.x series to provide people with a longer, easier path to switch to it
* kseifried
goes about his ignorant but happy life
<raggi>
at the moment we use marshal for cookie encoding, whcih is inherently dangerous as the only thing between the happy life and an RCE is an hmac
<kseifried>
well I guess the good news is only google and amazon have enough compute power to break that =)
<raggi>
when you have a timing attack?
<kseifried>
yeah just precompute the state of the universe
<kseifried>
I assume at this point you guys have enough computers to do that
<raggi>
AWS -> AWS timing attack against hmac is probably viable in a matter of hours
<raggi>
without significant numbers of computers
<raggi>
i've bene meaning to write a poc for this anyway
<raggi>
based on the ssl paper
<raggi>
heh
<raggi>
random idea
<kseifried>
yeah AWS worries me for timing attacks because there's like no network jitter
<raggi>
on 40x, proxies could add non-uniform noise to the timings
<kseifried>
except for a spike I see every 24 hours for a few seconds
<kseifried>
no clue what that's about
<raggi>
probably wouldn't be harmful, and might help
<raggi>
don't question the aws voodoo child
<raggi>
otherwise they'll take down us-east again
<kseifried>
I love it when people ask me what the root cause is
<kseifried>
"who knows? who cares. make more instances!"
<raggi>
lol
<raggi>
it could be customer created
<kseifried>
seriously. I don't even turn it off and bac on anymore
<raggi>
or anything
<kseifried>
I was running smokeping
<kseifried>
it was most of east-1
<kseifried>
very odd
<kseifried>
but like I said, meh. nothing I can do
<kseifried>
heck when I asked if they planned to ever support IPv6 they wanted me to sign an NDA
<kseifried>
they won't share ANYTHING without an NDA
<raggi>
tarcieri: so, that diagram basically says it'd take hours against a reasonably sized load balanced app
<tarcieri>
raggi: confirm, timing attacks are hard
<raggi>
tarcieri: assuming the trend stays roughly normal, and proportional
<raggi>
tarcieri: hours isn't hard
<raggi>
hours is easy
<raggi>
:)
<tarcieri>
true, but
<tarcieri>
hopefully you have SOME type of alerting that would notice
<tarcieri>
someone spamming you with asstons of fucking traffic
<tarcieri>
but maybe you don't
<raggi>
yerrr
<raggi>
so
<tarcieri>
*shrug*
<raggi>
it's hard to do this to many rails apps
<raggi>
because
<raggi>
they sit there and send a shitton of email when you do it
<raggi>
tarcieri: i feel a new twitter account coming on
<tarcieri>
lol
<tarcieri>
SecurityProtips?
<raggi>
haha
<raggi>
use an ecb mode
<kseifried>
I was talking to a guy who went to yahoo to do security response
<kseifried>
he ended up quitting after a few months because their abuse response covered the network facing attacks and they were so used to heavy constant attacks the security team had nothing much to do
<kseifried>
I think that's the new standard, like no-one actually looks at logs and complains about port scans anymore
<raggi>
i read logs for one of my servers still
<raggi>
but yeah, the ssh shit
<raggi>
i just pattern match
<raggi>
% uptime
<raggi>
6:21AM up 1040 days
<raggi>
^^^ that box
<kseifried>
kernel sploits FWT
<kseifried>
FTW
<raggi>
its bsd
<raggi>
trololol
<kseifried>
I like to reboot and make sure thigns reboot properly. old skool
<raggi>
i don't want ot reboot this machine
<raggi>
i'm afraid if the harddrive parks
<raggi>
it won't come back
<raggi>
it was up for 860+ days before the last restart
<kseifried>
hahaha
<raggi>
it's getting kinda old
<kseifried>
yeah
<raggi>
it only restarted because they moved the whole data center
<raggi>
wanna know the funniest thing
<raggi>
it's motd
<raggi>
has this reminder:
<raggi>
TODO: Configure FreeBSD Firewall
<raggi>
:D
<kseifried>
foirewalls are so 2010
<raggi>
ah, well, i guess that todo was ahead of it's time, and now expired then
<kseifried>
all my stuff is basically cloud service now. very 2012.
<kseifried>
I need to get ahead of the curve, maybe a biological DNA version of my website
<kseifried>
consume by inhaling it as a nasal spray?
<raggi>
lol
<raggi>
well, that box is pretty secure
<raggi>
i can basically give out connection strings to the pg instance on it
<raggi>
and be relatievely sure, apart from some pg vuln
<raggi>
that you can't do shit
<raggi>
all you get to do
<raggi>
is call a login function in the login schema
<raggi>
which then, if you auth, it gives you back new creds to re-auth with
<raggi>
totally excessive, esp. for what it does these days