L'uso di questo sito
autorizza anche l'uso dei cookie
necessari al suo funzionamento.
(Altre informazioni)

Thursday, February 12, 2015

Un normale pomeriggio di follia informatica

12:58 monitor di destra Acer 22", 1680x1050

12:59 xlock 

13:00 pranzo

13:58 x(un)lock 

13:59 monitor di destra zoomato, sfocato
14:00 monitor [on]*[off]

14:01 ma BIOPARCO

14:02 accessibility-zoom-unzoom
       shift f1..12

14:07 system->displays
       monitor di destra sconosciuto, 1024x678

       cold reboot
       [ring si potrebbe riavere la posta eliminata di un'oretta fa?> (wut)

15:00 google 'cinnamon linux Acer 22" lost resolution'
       (About 599,000 results)
       # cvt 1680 1050
       # xrandr --newmode  "1680x1050_60.00"  146.25  1680 1784 ...
       # xrandr --addmode VGA-0 "1680x1050_60.00"
       # arandr
       [provision hosting]
       [ring..."Scusi ma lei mi può far capire chi è anonymous?"]
       (mi fanno male gli occhi - forse è il monitor)
       # less /var/log/Xorg.log
       # zless /var/log/Xorg*.*log*

16:00 OK, generiamo xorg.conf 
       cold reboot
       xorg.conf EPIC FAIL (strano, non capisco come mai)
       # rm /etc/X11/xorg.conf

16:45 ricerca altro monitor (no)
       comincia ordine monitor nuovo
       [sospetto - pink panther theme]
       disconnetti cavo di alimentazione monitor dx
       riconnetti cavo di alimentazione monitor dx

16:55 monitor di destra Acer 22", 1680x1050

17:00 rage⚓tilt⚓cringe⚓rage⚓cringe⚓tilt@#☽☾!⚒


Saturday, February 7, 2015

I may not know much math, but...

Economics is possibly the only quantitative discipline where opinions are expressed, and solutions proposed, by persons who were never quite successful in mastering long division.

Friday, February 6, 2015

On converting openssh's id_rsa.pub to openssl, interface design, and lazy people

I just spent two hours trying to find the information needed to convert an openssh public key to openssl format (All hail and kudos to Lars and his awesome post on the subject). It has been a fun time, spent amongst acronyms such as PEM, DER, PKCS#1, PKCS#8, ASN1.1 and content-rich error messages suc as "cannot uudecode" and "Expected PUBLIC_KEY".

So, how is this different from a standard day at the office? In a way it is not - after all,This is not the first time I meet the SSL zoo and wrestle with it. It's just the fact that this kind of wrestling is becoming more and more frequent, as demands for encryption grow - courtesy of the Snowden-NSA snafu.

Problem: the entire field is way too mysterious, laden with three-letter acronyms, and dark corners that nobody cares to document.

Even worse, this is all FOSS software, that should put a premium on good software engineering, be standards minded, have good documentation.

Sheesh. Take my problem. ssh comes with a tool (ssh-keygen) that generates the public/private key pair for ssh usage. Given the private key, you can always reconstruct the public part:

# ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

The private key is in a format (PKCS#1, PEM-encoded) that openssl understands. Crucially, the .pub file is in a different, largely undocumented, format. And my problem was: convert the .pub part of an openssh key pair to an openssl compatible format without having access to the private part. In fact. If the private key is available, that is easy:

# openssl rsa -in mykey.pem -pubout > mykey.pub

Most of my time was spent in finding out that - if you have access to openssh 5.6 and later (not to be found on several servers, chiefly the RHEL6 based ones) ssh-keygen will do the deed for you:

# ssh-keygen -e -m pem -f id_rsa.pub

But God helps you if your version is less than 5.6, because - in that that case - ssh-keygen will happily perform several tricks on your .pub file except the one that's needed. And openssl. will not help either. So what you need is a custom program (Hello, Lars!) - and not even one that any schmuck could write.

Which takes me to my rant.

Why is the field of encryption cursed with scores of obscure, incompatible formats that almost no one cares to make explicit (yes that's PEM, DER, PKCS#1, PKCS#8, ASN1.1, BER...I could go on, but won't). Why do we need more than one? (because none of these formats is worth its salt, that's why)
And, most importantly, why none of the aforementioned formats is self documenting? Why won't the toolset be so kind to inform its user on what's going on, or even, for God's sake agree with itself?

Take Bob - a not very experienced, not very cultured sysadmin which receives a file named fubar. Bob's task is to figure it out. Now, Bob suspects fubar may have something to do with encryption (generally) and openssl (specifically). So, being a sysadmin, Bob tries to throw the toolset at fubar.

If the toolset was sane that's what would happen:

# openssl fubar
RSA Public-Key: (2048 bit)

But the toolset is insane, so what actually happens is this:

# openssl fubar
openssl:Error: 'fubar' is an invalid command.
[...Bob selects a random command and tries again...]

# openssl x509 fubar
unknown option fubar
usage x509 args
[...Bob reads usage....] 

#openssl x509 -in fubar
unable to load certificate
140191632783176:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

[man openssl,head,..... gotta be a public key (rsa? dsa? coin toss)]

# openssl rsa -in fubar
unable to load Private Key
140524681410376:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY

[...time and 10001 curses pass....]

# openssl rsa -pubin -text -in fubar
Public-Key: (2048 bit)

Note that, throughout this process,  Bob is not gaining any useful insight on the world of encryption, data security, etc. He is just being trained with electric shocks, mouse-in-a-maze like, to remember the quirks of one of the quirkiest user interfaces ever.

I find the bit where "openssl rsa -in " refuses to yield any information on fubar unless the right switch is flipped particularly delightful. This is bad interface design at its finest: it doesn't get any worse than that.

The rant would go on (why do CAs that have certificate chains do not distribute them along with their certificates? and why o why cannot it be all in the same file? and why o why o why they change it every other Wednesday and hide it in a different web place? and why o why o why o why if you forego the chain file - whose internal composition has to be guessed by trial-and-error -  browsers react as if your cert had been signed by George "Baby Face" Nelson?) but I feel that, for today, this may be enough.

Next guy that tells me "You know, people don't really care about data privacy, 'cos they're lazy", ends up on a gore image board. I guarantee it.

P.S.: Don't get me wrong: I do think that openssl and openssh are a godsend gift to the computing world, and I am thankful for that. But their UIs? Ouch.

Thursday, February 5, 2015

Guardi, io non ho mai capito la matematica

L'economia è forse l'unica disciplina numerica in cui vengono espresse opinioni e proposte soluzioni anche da chi non ha mai capito a fondo le divisioni a due cifre.