norbert's weblog

OpenBSD and CDDL

I was following the recent thread on the OpenBSD mailing list. Someone is arguing that the CDDL license is compatible to BSD license, and therefore compatible to OpenBSD's policy. I have read both licenses and I can personally say that CDDL is not compatible with the OpenBSD's policy. You may argue on my conclusion, but I encourage you to read both licenses and the OpenBSD's policy.

If you really want your good software to be included in the OpenBSD base, simply use the OpenBSD license template. It's simple and short. Any human (lawyer or not), can understand it.

Few Fixes on Pirated Windows

Pirated Windows copies to get fewer fixes. From http://www.msnbc.msn.com/id/6868504/.

Microsoft Corp. plans to severely curtail the ways in which people running pirated copies of its dominant Windows operating system can receive software updates, including security fixes.

The new authentication system, announced Tuesday and due to arrive by midyear, will still allow people with pirated copies of Windows to obtain security fixes, but their options will be limited. The move allows Microsoft to use one of its sharpest weapons -- access to security patches that can prevent viruses, worms and other crippling attacks -- to thwart a costly and meddlesome piracy problem.

Weblog Layout

Since my weblog's layout is based on OpenBSD Journal, I recently asked Daniel Hartmeier's permission to use the layout, and he was generous enough to allow me to use it :-)

Thanks Daniel!

MAX_KMAPENT in OpenBSD

A notable change on the OpenBSD-current tree.

--- Forwarded message from Henning Brauer ---

CVSROOT:        /cvs
Module name:    src
Changes by:     henning@cvs.openbsd.org 2005/02/19 10:58:03

Modified files:
sys/uvm:        uvm_map.h 

Log message:
double default MAX_KMAPENT to 2000, theo ok
everybody please update your trees and test this, we need to find out
wether there is bad side-effects from the doubling. If this does not get
enough testing by our user community we will play safe and revert this for
the 3.7 release, so please test.
it needs testing on all architectures, and especially on machines that
-now sometimes crash with the panic("uvm_mapent_alloc: out of static map entries, "
-that have little RAM

There will be snapshots up with this change soon - this is of course 
the preferred way of testing.
Applying the diff manually is useless, especially it is absolutely
useless to test a 3.6-stable or something like that with this diff 
applied, tehre were more changes in that area. Don't even bother, ok?

this is very important, so test test test!

The new snapshots will be available soon. As Henning stated on the log message, the preferred way to test this thing is to use the upcoming snapshots. For those who are tracking the -current tree, let's help by testing, and reporting possible issues that may arise. Our feedbacks may be the basis if the MAX_KMAPENT change will be included on the upcoming 3.7 release or not.

I gonna test this on Monday, my -current box is at the office.

New Layout

A new layout for my weblog. This new layout is heavily based on the OpenBSD Journal website.

PhilBSD BoF

The Philippine BSD Group will be hosting a BoF meeting this afternoon at Room 117, Palma Hall, University of the Philippines, Diliman. We will be discussing BSD-related topics.

I will discuss on how to setup up VPN on a WLAN environment, and also how to setup a wireless authenticating gateway using OpenBSD as the access point.

The BoF is open for all would like to attend. If you're interested, feel free to join us.

SHA-1 Collision

From Bruce Schneier's blog:

SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing.

The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a paper describing their results:

• collisions in the the full SHA-1 in 2**69 hash operations, much less than the brute-force attack of 2**80 operations based on the hash length.
• collisions in SHA-0 in 2**39 operations.
• collisions in 58-round SHA-1 in 2**33 operations.

This attack builds on previous attacks on SHA-0 and SHA-1, and is a major, major cryptanalytic result. It pretty much puts a bullet into SHA-1 as a hash function for digital signatures (although it doesn't affect applications such as HMAC where collisions aren't important).

Looks like another collision attack. First, its the MD5 hash, now its SHA-1. By the way, SHA-1 is a US standard hash function described in RFC3174.

Bloody Valentine

I just saw the report about the simultaneous bombings on Makati, Davao, and General Santos. What a terrifying day!!! Many innocent people died for nothing. A valentine's day full of blood.

I strongly condemn those actions! Whoever did those things should be punished!

What's happening here in the Philippines huh?

Warty Warthog Install

I received multiple copies of Ubuntu "Warty Warthog" Linux CD last month. I gave my officemate a copy of the CD. He decided to give Ubuntu a try as a desktop and he asked me to assist him on the installation.

Ubuntu installer works like the new Debian installer. It's easy and painless. My officemate successfully installed and configured his Ubuntu machine. Since Debian's apt and dpkg are also available in Ubuntu, I also taught him how to manage and configure binary packages using the apt tools (like apt-get and apt-cache).

I can see that he was very satisfied with his first Linux install experience. He said he'll try to upgrade to "Hoary Hedgehog" branch later.

I still have a few copies of Ubuntu "Warty Warthog" CDs. If you would like to receive a copy, you can email me, or you can just request online at:

http://shipit.ubuntulinux.org

NetBSD veriexec

Just finished configuring my NetBSD box...

NetBSD 2.0 has a new feature called veriexec (or verified executables). Veriexec adds a functionality that allows the kernel to check the integrity of the executables installed in the system (via cryptographic hashes) before they are run (or read). With this feature, it will be very hard for a common attacker to run a trojaned executables on the system.

Of course, veriexec is not flawless. It may contain bugs than can be used to bypass the protection it offers. But still, veriexec can make your system more resilient to common attacks.