5 days Ago
Much of the Internet has been affected by the Heartbleed (Wikipedia) vulnerability in the widely used OpenSSL server-side software. The bug effectively allows anyone to collect random data from the memory of machines running the affected software, which was about 60% of encrypted sites worldwide. A massive cleanup effort ensued, but the vulnerability has been in the software for two years, so there’s no telling how much information was stolen in the interim.
The OpenSSL software is used not only to encrypt HTTPS connections to web servers but also to generate the certificates that undergird those connections as well as many PKIs. Since data could have been stolen over a period of two years, it should be assumed that certificates, usernames and passwords have been stolen as well. Pessimism is the only sure way.
In fact, any data that was loaded into memory on a server running a pre-Heartbleed version of the OpenSSL software is potentially compromised.
How to respond
So we should all generate new certificates, ensuring that the root certificate from which we generate has also been re-generated and is clean. We should also choose new passwords for all affected sites. I use LastPass to manage my passwords, which makes it much easier to use long, complicated and most importantly unique passwords. If you’re not already using a password manager, now would be a good time to start.
And this goes especially for those who tend to reuse their password on different sites. If one of those sites is cracked, then the hacker can use that same username/password combination on other popular sites and get into your stuff everywhere instead of just on the compromised site.
Though there are those who are blaming open-source software, we should instead blame ourselves for using software of unknown quality to run our most trusted connections. That the software was designed and built without the required quality controls is an entirely different issue.
An advantage of open-source software is that at least we can pinpoint exactly when a bug appeared. Another is that the entire codebase is available to all, so others can jump in and try to fix it. Sure, it would have been nice if the expert security programmers of the world had jumped in earlier, but better late than never.
The site OpenSSL Rampage follows the efforts of the OpenBSD team to refactor and modernize the OpenSSL codebase. They are documenting their progress live on Tumblr, which collects commit messages, tweets, blog posts and official security warnings that result from their investigations and fixes.
They are working on a fork and are making radical changes, so it’s unlikely that the changes will be taken up in the official OpenSSL fork but perhaps a new TLS/SSL tool will be available soon.
VMS and custom memory managers
The messages tell tales of support for extinct operating systems like VMS, whose continued support makes for much more complicated code to support current OSs. This complexity, in turn, hides further misuses of
Lots o’ cruft
This is all sounds horrible and one wonders how the software ran at all. Don’t worry: the code base contains a tremendous amount of cruft that is never used. It is compiled and still included, but it acts as a cozy nest of code that is wrapped around the actual code.
There are vast swaths of script files that haven’t been used for years that can build versions of the software under compilers and with options that haven’t been seen on this planet since before .. well, since before Tumblr. For example, there’s no need to retain a forest of macros at the top of many header files for the Metrowerks compiler for PowerPC on OS9. No reason at all.
There are also incompatibly licensed components in regular use as well as those associated with components that don’t seem to be used anymore.
Modes and options and platforms: oh my!
There are compiler options for increasing resiliency that seem to work. Turning these off, however, yields an application that crashes immediately. There are clearly no tests for any of these modes. OpenSSL sounds like a classically grown system that has little in the way of code conventions, patterns or architecture. There seems to be no one who regularly cleans out and decides which code to keep and which to make obsolete.
Security professionals wrote this?
This is to say nothing of how their encryption algorithm actually works. There are tales on that web site of the developers desperately having tried to keep entropy high by mixing in the current time every once in a while. Or even mixing in bits of the private key.
A lack of discipline (or skill)
The current OpenSSL codebase seems to be a minefield for security reviewers or for reviewers of any kind. A codebase like this is also terrible for new developers, the onboarding of which you want to encourage in such a widely used, distributed, open-source project.
Instead, the current state of the code says: don’t touch, you don’t know what to change or remove because clearly the main developers don’t either. The last person who knew may have died or left the project years ago.
It’s clear that the code has not been reviewed in the way that it should be. Code on this level and for this purpose needs good developers/reviewers who constantly consider most of the following points during each review:
Living with OpenSSL (for now)
It sounds like it is high time that someone does what the BSD team is doing. A spring cleaning can be very healthy for software, especially once it’s reached a certain age. That goes double for software that was blindly used by 60% of the encrypted web sites in the world.
It’s wonderful that OpenSSL exists. Without it, we wouldn’t be as encrypted as we are. But the apparent state of this code bespeaks of failure to manage on all levels. The developers of software like this must be better than this. They must be the best of the best, not just anyone who read about encryption on Wikipedia.
OpenSSL will be with us for a while. It may be crap code and it may lack automated tests, but it has been tested and used a lot, so it has earned a certain badge of reliability and predictability. The state of the code means only that future changes are riskier but not that the current software is not usable.
Knowing that the code is badly written should make everyone suspicious of patches—which we now know are likely to break something in that vast pile of C code—but not suspicious of the officially supported versions from Debian and Ubuntu (for example). Even if the developer team of OpenSSL doesn’t test a lot (or not automatically for all options, at any rate—they may just be testing the “happy path”), the major Linux distros do. So there’s that comfort, at least.
6 days Ago
In the first installment, we covered the basics of mixing custom SQL with ORM-generated queries. We also took a look at a solution that uses direct ADO database access to perform arbitrarily complex queries.
In this installment, we will see more elegant techniques that make use of the
tl;dr: Skip to attempt #5 to see the final result without learning why it’s correct.
Attempt #1: Replacing the entire query with custom SQL
An application can assign the
This example solves two of the three problems outlined above:
Let’s see if we can address the third issue by getting Quino to format the
Attempt #2: Generating the
1 week Ago
The Quino ORM manages all CrUD—Create, Update, Delete—operations for your application. This basic behavior is generally more than enough for standard user interfaces. When a user works with a single object in a window and saves it, there really isn’t that much to optimize.
A more complex editing process may include several objects at once and perhaps trigger events that create additional auditing objects. Even in these cases, there are still only a handful of save operations to execute. To keep the architecture clean, an application is encouraged to model these higher-level operations with methods in the metadata (modeled methods).
The advantage to using modeled methods is that they can be executed in an application server as well as locally in the client. When an application uses a remote application server rather than a direct connection to a database, modeled methods are executed in the service layer and therefore have much less latency to the database.
When Quino’s query language isn’t enough
If an application needs even more optimization, then it may be necessary to write custom SQL—or even to use stored procedures to move the query into the database. Mixing SQL with an ORM can be a tricky business. It’s even more of a challenge with an ORM like that in Quino, which generates the database schema and shields the user from tables, fields and SQL syntax almost entirely.
What are the potential pitfalls when using custom query text (e.g. SQL) with Quino?
There are two approaches to executing custom code:
All of the examples below are taken directly from the Quino test suite. Some variables—like
Using ADO directly
You can use the
The first example shows a test from the Quino framework that shows how easy it is to combine results returned from another method into a standard Quino query.
The ADO-access code is hidden inside the call to
There are a few drawbacks to this approach:
In the second part, we will improve on this approach by using the
Stay tuned for part 2, coming soon!
Many thanks to Urs for proofreading and suggestions on overall structure.
 This article uses features of Quino that will only become available in version 1.12. Almost all of the examples will also work in earlier versions but the
 More likely, though, is that the Quino schema migration will be prevented from applying updates if there are custom stored procedures that use tables and columns that need to be changed.↩
Mixing your own SQL into Quino queries: part 1 of 2
 In IMDb, it looks like this was Hauer’s first American movie—everything else before that was Dutch.↩
 I have that one in my list of thrillers to watch, but this one came on TV instead.↩
3 weeks Ago
She tells of Cecily McMillan, who was beaten into a seizure by police offers and who two years later stands trial for assaulting a police officer, facing seven years in prison. The officer’s record of having beaten other suspects was deemed inadmissable.
Or there is the other recent case of a black woman who tried to stand her ground, as others have successfully done. She fired a warning shot into the air, killing no one, not even wounding anyone. These were the actions of “Marissa Alexander, a PhD and mom who [wanted to] stop her husband from beating her,” That’s not a good reason, is it? Are we even sure that her husband isn’t allowed to beat her in that state? And that’s not nearly as good a reason as the guy had who killed a boy in the back-seat of his SUV for playing music too loud. Not guilty! But Marissa’s going to go away for a long time for her transgression.
Who does this uppity woman think she is? Does she think she’s white? Rich? A citizen? A human being? Do not speak of justice in a system that produces hypocrisy on this scale. And the system does everything it can to make being poor or disadvantaged increase chances of prosecution dramatically.
We still have jury trials in the States; this means that non-professional, easily misled and nigh-constantly deluded undereducated head-cases are deciding your fate. Those are your peers. They can’t string two logical sentences together; what are the odds that they can wend their way through the facts of the case to come to a just conclusion? Nearly zero. What are the odds that they will decide your fate based on how you dress or act rather than evidence? Nearly certain.
And people who haven’t yet been convicted are made to suffer beforehand. The unconvicted are left to stew behind bars because they can’t afford ridiculous bail. The homeless guy who was recently broiled to death in Riker’s Island because he couldn’t pay $2500 for bail on his charge of loitering was in jail for this reason. He was luckier than the homeless guy in the SouthWest U.S. who was executed by police officers for the same crime. Sure, those are anecdotes, but that doesn’t change the fact that “[…] the average defendant [is] a person of colour charged with a drug crime.” And more and more prisoners are going away for longer sentences; more and more people are taking years before they get their trial.
As mentioned above, 95% just take the plea bargain in order to get some form of a life back. This is a life with a felony record and drastically reduced chances of making anything of yourself in a society that hates its ex-cons.
If you don’t plea out, you lose your life savings and may still go to jail. If you do plea out, you lose all chance of ever making decent money again. You see? In America, you still have the freedom to choose.