OK, turing.

<- leave blank

Fri Jun 24 08:02:24 EDT 2022

/tmp ; cat f.c; 8c f.c; 8l f.8; 8.out; webpaste /dev/text
#include <u.h>
#include <libc.h>

typedef struct List List;
struct List {
	int n;
	List *next;
};

void
main(int argc, char *argv[])
{
	List *l;
	int wtf[1];

	print("%p\n", &l);
	print("%p\n", &l->next);
	print("%p\n", &l->next->next);
}
dfffef60
4
8.out 1712: suicide: sys: trap: fault read addr=0x4 pc=0x0000105c


Fri Jun 24 07:58:44 EDT 2022
/tmp ; cat f.c && 8c f.c && 8l f.8 && 8.out
#include <u.h>
#include <libc.h>

typedef struct List List;
struct List {
	int n;
	List *next;
};

void
main(int argc, char *argv[])
{
	List *l;

	print("%p\n", &l);
	print("%p\n", &l->next);
	print("%p\n", &l->next->next);
}
dfffef60
4
8.out 1618: suicide: sys: trap: fault read addr=0x4 pc=0x0000105c
/tmp ; cat /dev/text | webpaste
webwaste: './webwaste' file not found
/tmp ; cat /dev/text | webpaste


Thu Jun 23 20:14:25 EDT 2022
Date: Thu, 01 Feb 2018 09:29:21 +0000
From: Daniel Margolis <dmargolis@google.com>
To: khm@sciops.net
Cc: draft-ietf-uta-mta-sts@ietf.org
Subject: Re: draft-ietf-uta-mta-sts

[-- OpenSSL output follows (current time: Thu Jun 23 17:14:01 2022) --]
[-- End of OpenSSL output --]

[-- The following data is signed --]

Hey,

You're definitely making a sane observation.  This came up a bunch of times
in the past; in fact, I wrote a short (and really now quite outdated) FAQ
on this at one point in the now-distant past:
https://github.com/mrisher/smtp-sts/wiki/Why-not-support-DNSSEC.

Tldr:

We did originally want to use DNS; in fact, when we were originally
exploring ideas, I had originally wanted not to use HTTP at all, and just
kind of use some plaintext DNS something something (say, stick a signed
policy with the signature in a TXT record)--but that's not really feasible,
since many DNS servers/hosts/infrastructure caps the size of/number of TXT
records, so it's hard to fit the whole cert chain to use CA-signed certs to
sign random blobs like that.  So then the next idea was to allow people to
optionally use DNSSEC to broadcast their signature--but if you can do
DNSSEC, why not just do DANE?

Ultimately, as problematic as it is in some ways to require web services to
use STS, our conclusion (documented quite heavily in the archives of the
list, though I can hardly fault you for not wanting to read through it
all!) was that HTTPS was fairly accessible, with fairly well-understood
semantics of cert validity and so forth.

Hope that helps.

Dan


On Thu, Feb 1, 2018 at 2:51 AM Kurt H Maier <khm@sciops.net> wrote:

> Is it the intention of this document to effectively require all
> compliant MTAs to also implement web services?  Is there a particular
> reason that HTTPS is the only supported policy transport?  Would the
> working group be amenable to exploring DNS-only methods for expressing
> MTA-STS policy?
>
> Thanks,
> khm
>

[-- End of signed data --]


Thu Jun 23 20:12:41 EDT 2022
Date: Fri, 02 Feb 2018 07:12:55 +0000
From: Daniel Margolis <dmargolis@google.com>
To: khm@sciops.net
Cc: draft-ietf-uta-mta-sts@ietf.org
Subject: Re: draft-ietf-uta-mta-sts

[-- OpenSSL output follows (current time: Thu Jun 23 17:11:17 2022) --]
[-- End of OpenSSL output --]

[-- The following data is signed --]

On Thu, Feb 1, 2018 at 7:28 PM Kurt H Maier <khm@sciops.net> wrote:

> On Thu, Feb 01, 2018 at 06:05:42PM +0000, Daniel Margolis wrote:
> >
> > I may be misunderstanding you, but absent DNSSEC, it *is* necessary to
> > establish that mx.isp.net is the correct MX for example.com.  Merely
> > authenticating the MX for its hostname is insufficient to prevent a
> > man-in-the-middle attack, since injecting fake MX records is a trivial
> > workaround, right?
> >
>
> Yes, absent DNSSEC, DNS is not secured.  The objection here is that
> instead of recommending the security features of the already-involved
> DNS services, you're recommending a secondary (tertiary?) protocol that
> also does not solve the problem.  If you can inject a fake MX record,
> you can inject a fake A record, and authenticate on bad well-known data.
>

To be clear, if you inject a fake A record, the MTA-STS client will reject
the policy served because the "policy.example.com" MITM won't have a valid
certificate for example.com.  (Assuming, of course, that they don't have a
valid certificate.) So instead of authenticating the MX records directly,
we are in fact authenticating (via the CA signedness) the "acceptable
identities" of the MX hosts (which are themselves also required to be CA
signed).

So STS does not require trusted DNS, which is really a significant
motivator here.  Any changes that did not have those same security
properties in the absence of DNSSEC would be undesirable.

>
> > But I don't have a great answer for you beyond that, and I agree that
> it's
> > feasible to do it all with DNS, at least in concept.
>
> I beg you to consider reintroducing this as an option, even if it's just
> to serve the policy tuples.  That way we can fix the implicit TLS
> situation with SMTP and have a proper, complete solution.
>
> > Zoomed out a bit, I think the big challenge with all of this is
> > retrofitting.  HTTP is in some sense easier, because it's (usually) an
> > interactive user-agent.  So if you fall back to insecure (or encounter
> cert
> > problems) you can tell the user and ask them what to do.  For decades,
the
> > "proper functioning" of HTTPS has been basically to show the user in the
> > event of a downgrade attack (and, like, hope the user notices, which is
> > often futile).
>
> Yes, and machines are much more reliable about rejecting situations
> they've been programmed to reject.  But in this case they're not really
> being given the opportunity here; it's just getting offloaded to a
> client protocol in another stack.  SMTP already has error reporting
> mechanisms and extending with a 'needs tls' error message is trivial and
> simple.
>
> Thanks,
> khm
>

[-- End of signed data --]


Thu Jun 23 18:27:43 EDT 2022
diff 7ca997bf7efdca16416b22488ebc7b70c419fd44 uncommitted
--- a//sys/include/libsec.h
+++ b//sys/include/libsec.h
@@ -374,6 +374,7 @@
 int pkcs1unpadbuf(uchar *buf, int len, mpint *modulus, int blocktype);
 int asn1encodeRSApub(RSApub *pk, uchar *buf, int len);
 int asn1encodeRSApriv(RSApriv *k, uchar *buf, int len);
+int asn1encodeRSApubSPKI(RSApub *pk, uchar *buf, int len);
 int asn1encodedigest(DigestState* (*fun)(uchar*, ulong, uchar*, DigestState*),
			uchar *digest, uchar *buf, int len);

--- a//sys/src/cmd/auth/rsa2asn1.c
+++ b//sys/src/cmd/auth/rsa2asn1.c
@@ -6,11 +6,12 @@
 #include "rsa2any.h"

 int privatekey = 0;
+char *format = "pkcs1";

 void
 usage(void)
 {
- fprint(2, "usage: auth/rsa2asn1 [-a] [file]\n");
+ fprint(2, "usage: auth/rsa2asn1 [-a] [-f fmt] [file]\n");
	exits("usage");
 }

@@ -25,6 +26,9 @@
	case 'a':
		privatekey = 1;
		break;
+ case 'f':
+ format = EARGF(usage());
+ break;
	default:
		usage();
	}ARGEND
@@ -32,14 +36,25 @@
	if(argc > 1)
		usage();

+ n = -1;
	if((k = getrsakey(argc, argv, privatekey, nil)) == nil)
		sysfatal("%r");
	if(privatekey){
- if((n = asn1encodeRSApriv(k, buf, sizeof(buf))) < 0)
- sysfatal("asn1encodeRSApriv: %r");
+ if(strcmp(format, "pkcs1") == 0)
+ n = asn1encodeRSApriv(k, buf, sizeof(buf));
+ else
+ sysfatal("unknown format %s", format);
+ if(n < 0)
+ sysfatal("encode: %r");
	}else{
- if((n = asn1encodeRSApub(&k->pub, buf, sizeof(buf))) < 0)
- sysfatal("asn1encodeRSApub: %r");
+ if(strcmp(format, "pkcs1") == 0)
+ n = asn1encodeRSApub(&k->pub, buf, sizeof(buf));
+ else if(strcmp(format, "spki") == 0)
+ n = asn1encodeRSApubSPKI(&k->pub, buf, sizeof(buf));
+ else
+ sysfatal("unknown format %s", format);
+ if(n < 0)
+ sysfatal("encode: %r");
	}
	if(write(1, buf, n) != n)
		sysfatal("write: %r");
--- a//sys/src/libsec/port/x509.c
+++ b//sys/src/libsec/port/x509.c
@@ -788,6 +788,7 @@

	p = &uc;
	err = enc(&p, e, 1);
+ *pbytes = nil;
	if(err == ASN_OK) {
		ans = newbytes(p-&uc);
		p = ans->data;
@@ -2900,6 +2901,32 @@
	}
	memmove(buf, b->data, len = b->len);
	freebytes(b);
+ return len;
+}
+
+int
+asn1encodeRSApubSPKI(RSApub *pk, uchar *buf, int len)
+{
+ Bytes *b, *k;
+ Elem e;
+
+ k = encode_rsapubkey(pk);
+ if(k == nil)
+ return -1;
+ e = mkseq(
+ mkel(mkalg(ALG_rsaEncryption),
+ mkel(mkbits(k->data, k->len),
+ nil)));
+ encode(e, &b);
+ freebytes(k);
+ if(b == nil)
+ return -1;
+ if(b->len > len){
+ freebytes(b);
+ werrstr("buffer too small");
+ return -1;
+ }
+ memmove(buf, b->data, len = b->len);
	return len;
 }



Thu Jun 23 12:18:27 EDT 2022

#!/bin/sh -e

if [ 0 -ne `id -u` ]; then
  echo "This script needs root access" >&2
  exit 1
fi

if ! [ -d "$1" ] || [ x-h = x"$*" ] || [ x--help = x"$*" ]; then
  echo "Usage: ${0##*/} <chroot_directory>" >&2
  exit 1
fi

if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_chmod` ]; then
  echo "Warning: can't suid/sgid inside chroot" >&2
fi
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_mknod` ]; then
  echo "Warning: can't mknod inside chroot" >&2
fi
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_mount` ]; then
  echo "Warning: can't mount inside chroot" >&2
fi
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_chroot` ]; then
  echo "Warning: can't chroot inside chroot" >&2
fi

cd "$1"
if ! [ -d ./etc ]; then
  echo "No etc directory inside $1" >&2
  exit 1
fi
shift

MOUNTED=
umount_all() {
  case $MOUNTED in
  shm\ *) if [ -L ./dev/shm ]; then
	    umount ./`readlink ./dev/shm`
	  else
	    umount ./dev/shm
	  fi
	  MOUNTED=${MOUNTED#shm };;
  esac
  case $MOUNTED in
  run\ *) umount ./run
	  MOUNTED=${MOUNTED#run };;
  esac
  case $MOUNTED in
  tmp\ *) umount ./tmp
	  MOUNTED=${MOUNTED#tmp };;
  esac
  case $MOUNTED in
  proc\ *) umount ./proc
	  MOUNTED=${MOUNTED#proc };;
  esac
  case $MOUNTED in
  sys\ *) umount ./sys
	  MOUNTED=${MOUNTED#sys };;
  esac
  case $MOUNTED in
  pts\ *) umount ./dev/pts
	  MOUNTED=${MOUNTED#pts };;
  esac
  case $MOUNTED in
  dev\ *) umount ./dev
	  MOUNTED=${MOUNTED#dev };;
  esac
}
trap 'umount_all' EXIT

#mkdir -p ./etc ./dev/pts ./sys ./proc ./tmp ./run ./boot ./root

cp -iL /etc/resolv.conf ./etc/ || true # if ^C, will cancel script

mount --bind /dev ./dev
MOUNTED="dev $MOUNTED"

mount -t devpts devpts ./dev/pts -o nosuid,noexec
MOUNTED="pts $MOUNTED"

mount -t sysfs sys ./sys -o nosuid,nodev,noexec,ro
MOUNTED="sys $MOUNTED"

mount -t proc proc ./proc -o nosuid,nodev,noexec
MOUNTED="proc $MOUNTED"

mount -t tmpfs tmp ./tmp -o mode=1777,nosuid,nodev,strictatime
MOUNTED="tmp $MOUNTED"
mount -t tmpfs run ./run -o mode=0755,nosuid,nodev
MOUNTED="run $MOUNTED"
if [ -L ./dev/shm ]; then
  mkdir -p ./`readlink ./dev/shm`
  mount -t tmpfs shm ./`readlink ./dev/shm` -o mode=1777,nosuid,nodev
else
  #mkdir -p ./dev/shm
  mount -t tmpfs shm ./dev/shm -o mode=1777,nosuid,nodev
fi
MOUNTED="shm $MOUNTED"

case $1 in
  -l) shift;;
  -l*) one=${1#-l}; shift; set -- -"$one" "$@";;
esac
chroot . /usr/bin/env -i SHELL=/bin/sh HOME=/root TERM="$TERM" \
  PATH=/usr/sbin:/usr/bin:/sbin:/bin PS1='chroot # ' /bin/sh -l "$@"

# FIXME
# are USER and LOGNAME set automatically?
# perhaps: source /etc/profile && export PS1="chroot $PS1"


Wed Jun 22 10:03:28 EDT 2022
whooo

Tue Jun 21 21:33:47 EDT 2022
From: Rob Pike <robpike@gmail.com>
Date: Wed, 22 Jun 2022 10:48:24 +1000
To: Larry McVoy <lm@mcvoy.com>
Message-ID-Hash: ZXR47ZRDY6USYRJ6DNBIMD2ENJMU2INP
CC: The Eunuchs Hysterical Society <tuhs@tuhs.org>
Subject: [TUHS] Re: forgotten versions
Archived-At:
<https://www.tuhs.org/mailman3/hyperkitty/list/tuhs@tuhs.org/message/ZXR47ZRDY6USYRJ6DNBIMD2ENJMU2INP/>

Plan 9 used Datakit as its network for quite a while.  The Gnot terminals
had an INCON interface, a megabit (approximately) twisted pair adjunct to
Datakit.  I had an INCON link running over a T-1 link to my house - great
excitement back in the day.  (The kernel downloaded over the line and booted
the machine up to the window system - there was no local disk - from power
up, in 7 seconds.) NJ Bell needed to install a new nitrogen-pressurized
26-pair cable, supported by a new telephone pole, to set it up, because I
had already used up all available pairs on the existing line to my house.
All included at no extra cost.  (You pay for the service, not its
construction.)

When the internet became unavoidable, we used Plan 9's import mechanism to
import the single external TCP/IP interface from our gateway machine, over
Datakit, to the Gnots.  We did the same, but importing now over IL (an
ethernet protocol built by Phil Winterbottom) when our terminals became PCs.

That's how I remember it, at least, but I might have got some details
wrong.  I think much of this is covered in
http://doc.cat-v.org/plan_9/4th_edition/papers/net/

-rob


On Wed, Jun 22, 2022 at 10:13 AM Larry McVoy <lm@mcvoy.com> wrote:

> On Tue, Jun 21, 2022 at 05:56:02PM -0600, Jacob Moody wrote:
> > I recently stumbled across the existence of datakit
> > when going through the plan9foundation source archives.
> > Would be curious to hear more about its involvement
> > with plan9.
>
> Pretty sure datakit predated Plan 9, didn't Greg Chesson work on that?
> He was my mentor at SGI, my memory is datakit was sort of early on in
> his career and then he did XTP, which nobody knows about but I believe
> is still used by the military.
>
> Unless the early Bell Labs datakit and the Plan 9 datakit are different
> things.
>




Tue Jun 21 10:26:16 EDT 2022
#include <libc.h>
#include <draw.h>
#include <geometry.h>


void
main(int argc, char** argv){

	Space q = (Space){
		(Matrix){{1.1,1.1,1.1,1.1},
		{1.1,1.1,1.1,1.1},{1.1,1.1,1.1,1.1},{1.1,1.1,1.1,1.1}},
		(Matrix){{1.1,1.1,1.1,1.1},{1.1,1.1,1.1,1.1},{1.1,1.1,1.1,1.1},{1.1,1.1,1.1,1.1}},
		nil
	};

}


Mon Jun 20 23:31:48 EDT 2022
    0:d=0 hl=4 l= 605 cons: SEQUENCE
    4:d=1 hl=2 l= 1 prim: INTEGER :00
    7:d=1 hl=3 l= 129 prim: INTEGER
    :CDFCD15D3BE59A4AC24C856EEF14323A8D5D66E9F75D794DEC5C50CDE8C0FC3B5F00C0C2497D4C7DDF274337CBDF720F928499B22433731C8C720D34C86E97D6ECF701C926D792BB169C607D508D3D780EB4374D83C1EF435FCFE6C85E8BA31520D123456FF885615D481A46713546E38241AC7A8E1D2119A06DF4B9669BF1AF
  139:d=1 hl=2 l= 3 prim: INTEGER :010001
  144:d=1 hl=3 l= 128 prim: INTEGER
  :3CAFBB4EE892A07E5DF80567C57001CC5651AA3C4BF072088F163388368684C9491803B239CC7C78A901FC3FB804C0A9EDD4BB234C9F0BCEE161C89A4062B4C0CA080484CFACC1CC4A81B8D29E91FFA8531A45581755101D66DB821447AD6A0F7FC1C620AA4473B3B28F6718604672D6A634DA5369369C81E6E6556C0A8EF4A1
  275:d=1 hl=2 l= 65 prim: INTEGER
  :E6A4A3E32596B3A50A35377E3A5CE6E8516C5F5B34DC2BAC769890806FFFF4E0A85EBA49D07773C7BC112BE7689E563D561CD30B0BA78BDDC92B70F622A7040D
  342:d=1 hl=2 l= 65 prim: INTEGER
  :E4A241B9D2FC6FCE05DA5C6F94FCC231169C3760D2FE0FB710580C167ADA92D3A8521637483F2C53E9683B53F5242F1C1BC34204628EF6C2222462F4A42CF1AB
  409:d=1 hl=2 l= 65 prim: INTEGER
  :D025DB85DE617004CCFE93F346269B79242A82B0243762EEC525109BE8F7FCFE56D50E98191C04904828D30F877A05E85AF3AE7EB468E3B027A21DD2F418F86D
  476:d=1 hl=2 l= 64 prim: INTEGER
  :53FEDC60B587B257A144D8C2D19C8E8754442E002F63D1483303F5E4E85B96A795E61A6D52E88A9385639AB03C967F8C3712E41512546D8962DBB5532561B1A3
  542:d=1 hl=2 l= 65 prim: INTEGER
  :B15023D52DF343D6D85265E83FF70C1B2A527F84312623F77485184C40B87A3576D2689EA9EFD568F3B80EEF96E05347A18A286B5065CC81DC7352574CA43CBD


Mon Jun 20 21:25:04 EDT 2022

     SRV(3) SRV(3)

     NAME
	  srv - server registry

     SYNOPSIS
	  bind #s /srv

	  #s/clone
	  #s/n
	  #s/service1
	  #s/service2
	   ...

     DESCRIPTION
	  The srv device provides a tree of directories holding
	  already-open channels to services.  In effect, srv is a bul-
	  letin board on which processes may post open file descrip-
	  tors to make them available to other processes.

	  To install a channel, create a new file such as /srv/myserv
	  and then write a text string (suitable for strtoul; see
	  atof(2)) giving the file descriptor number of an open file.
	  Any process may then open /srv/myserv to acquire another
	  reference to the open file that was registered.

	  An entry in srv holds a reference to the associated file
	  even if no process has the file open.  Removing the file
	  from /srv releases that reference.

	  It is an error to write more than one number into a server
	  file, or to create a file with a name that is already being
	  used.

	  Opening the clone file allocates a new service directory.
	  Reading clone returns the id of the new directory.  This new
	  service directory can then be accessed at /srv/id.  Directo-
	  ries are recursable; each new servive directory contains its
	  own clone file.

     EXAMPLE
	  To drop one end of a pipe into /srv, that is, to create a
	  named pipe:

	       int fd, p[2];
	       char buf[32];

	       pipe(p);
	       fd = create("/srv/namedpipe", OWRITE, 0666);
	       fprint(fd, "%d", p[0]);
	       close(fd);
	       close(p[0]);
	       fprint(p[1], "hello");

	  At this point, any process may open and read /srv/namedpipe
	  to receive the hello string.  Data written to /srv/namedpipe
	  can be received by executing

	       read(p[1], buf, sizeof buf);

	  in the above process.

     SOURCE
	  /sys/src/9/port/devsrv.c



prev | next