Older blog entries for grey (starting at number 5)

Needed to get some ideas down... moving again and again has really screwed things up for my home computing life - so this is it for now; no time or motivation to bitch at megapath for fucking up; no time or space to unpack and plug things in. On the other hand moving has been a blessing as I've simplified, all my crap is in boxes. That and I've actually started to solidify my notions of what I -need- to be fucking doing, beyond realizing that I can't keep postponing shit because I'm not going to be really settled, I've been _doing_ things because I can no longer wait to get settled. One major annoyance is that I'm going to need to figure out the best way to rectify that for programming, because the laptop I was using from work I'm giving up in a week because I'm getting a new one and my current one is shifting down. While I'm getting the hang of minimizing, simplified and solidifying, I've realized that a few things need to be stable. Ergo, I -need- a personal machine that I can use at any time and keep with me. A laptop is going to cost me a bit which I'm pissed about, and I'm also pissed about the timing because I would like to wait for an amd64 thinkpad or something spiff. This means that for a month or two at the least I'm going to be sitting on my hands as far as actually having a personal laptop, and I'll be dealing with cumbersome crap like writing stuff on my soekris, or within VMWare or other bullshit like that, and I hate that.

Anyway, baguazhang is going really well - it's so refreshing to be _doing_ something that I'm unfamiliar with, screwing up, correcting mistakes, and progressing. Having it twice a week helps too as it -happens- I can't shrug it off because my mood isn't quite right. The philosophical parallels between the martial end of computing (sec/hack/whateverthefuck) are nice to think about too as I have moments to contemplate (usually when driving).

On the programming front, I picked up K&R used and already it's a bit of a relief from pcp - I like the emphasis of a small book fitting a small language; some of the tomes out there just seem like total overkill. Not to mention, where I'm at - I need to work on small things. I'm trying not to get distracted, notions of trying to build everything from the ground up (e.g. try piecing together an assembler, then maybe a compiler, etc.). Anyway - that's starting at a level that I'm not ready to tackle, so just like martial arts I'm trying to follow someone else's example first (doing book exercises) and then as I become more comfortable move to the next step. After the external stuff gets good the internal bits begin to follow a little more, and so the inversion of starting with the abstractions and then moving over time to the minutia of the experienced might pan out.

Then again, I'm just talking out of my ass, as I'm a beginner in both respects.

That said - I have a few ideas I've been meaning to write down. The recursive/emulationOS notion has been invading my thoughts more and more and feels like something that's worth pursuing. I'm going to start with a bootloader, whether through modifying bits of other people's or writing one from scratch, probably both.

Some thoughts about what I want to do...

. Bootloader portion... have some stuff from the get go, spit stuff to the serial port for one; option to encrypt the disks as another; on the serial port end - maybe even intercept portions of video signals to mimick a realweasel or cyclades card in software [no BIOS, but it could get you somewhere].

For the OS portion - start with just an x86 emulator running off the bootloader... it'll evolve from there, broken down, done again and so on undoubtedly if it progresses. There's going to need to be some real thought put into how to abstract things - video cards, NICs, hdd's, fuck - everything hardware might benefit from an abstraction. This can provide some real benefits just thinking about the hdd, for one you could allow the hdd to store images for the emulation portion, or you could use the bootloader portion and just boot it directly [perhaps with some lite residual disk interpretation, e.g. some of the crypto hardware bits]. I almost wonder sometimes if the goal wouldn't be even better realized within hardware altogether. Maybe long term future that would be ideal [emplant, hardware designed for the OS, comes to mind bleh] Regardless, software will need to come first. Some kind of inspiration from scitech's SPAN and kgi/ggi (which I just heard about this week thanks to todd) is likely to be of use - but don't just do it for video cards - do it for everything. Not only will this help from an emulation standpoint, but it will help longer term as it hopefully evolves into an OS.

plan9 research has been pretty intriguing... need to read more about TRON and mach too. My hope is to take best practices across disciplines and merge them together - I hope it will be very small and fast. The licensing needs to be as liberal as possible, public domain if possible; though I know if others are going to contribute BSD/MIT for credit might be necessary at a minimum - I'd rather leave that to those contributors. I'd rather avoid anything more restrictive [e.g. gpl]. I just don't see how there's any hope of a wholely new platform/OS competing with previous OS's if compared against its competition:

A. it costs more [so it must be $0]

B. it's with a more restrictive license [so it must be PD].

C. it doesn't run what you already have [so it must have a complete emulation component]

D. It doesn't do things *natively* better than what you were used to before [so it must be more secure, more stable, more reliable and much faster].

The A-D in brackets are basically the design criteria in my mind for any new OS that even hopes to compete in the future, we already have to deal with the non-bracketed portions and it fucking sucks computing has become fucking entrenched in its own installed user base morass. It's like the phone system, a complete piece of shit compared to what you can do today - but we're still dealing with it. The only way we can junk the old is by ensuring compatibility with the old, but the ultimate appeal is by offering something that you just can't get with the old. The internet did this - let you communicate with others, in ways you couldn't before. Sadly, it's now at critical mass, and changing it is going to suck fucking eggs. Oh, and did I mention that TCP/IP needs to go away? It's an irony, your ideas finally get widespread usage, but 30 years after they were originally envisioned, and in those 30 years lots of ways of doing the same thing a lot better have occurred, but you can't just supplant the whole thing... or can you? With the right planning at the onset, perhaps you can make it simple enough to be flexible enough to endure time... there's a mystery there somewhere... maybe I'm wrong about the failings of the past in some respects. I will say that _some_ things they nailed perfectly; other things are getting severely fucked though. It's like many people's feelings about the political and corporate state of affairs - the mechanisms have been abused, and the people are suffering while fuckwits benefit. You're disenfranchised, you feel like the mechanisms in place to fix things aren't working - and you're right. So, what do you do? You need to break out, do you OWN thing. Then you will see the others who are in the same state and you can collect together, and together you might have some hope in time of effecting the change you wish to see. Perhaps the movement becomes a kindling for the masses and revolution occurs, the cycle goes on. Sadly, the revolutions really evolve very little - but sticking to your own things, and realizing your own ideals will be more satisfying, you can lead your life & hopefully those of your family, friends and colleagues in a manner that is satisfying, despite the turmoil and bullshit that the world is facing. Perhaps you can help to push back the worst of the tyrants a little... improving things a bit, or at least preventing the worst. You still need to be aware of the others, protect life & justice, work towards preventing our own extinction because if we can keep on long enough - we can rise up above our bacterial blooming and not kill ourselves off.

Wow I wandered... anyway I really think a new paradigm needs to occur - Winshit and Unix are crap and ancient respectively, and they're the only things really running right now (linux, OSX in the unix camp). My fucking Amiga was a more usable machine than anything made in the past ten years practically and that's complete bullshit.

It needs to be effortless.

It will be.

I swear, this is starting to turn into a string of diary entries all about ssh. (Although, I must admit that I only came back here to check on some previous writing related to that same topic). Thanks for certifying me jolan! (It scares me that people are reading this and actually acting on it; then again I only got motivated to rediscover my password after jolan mentioned the site months back).

OK - so current status, and what I wanted to post on. A FRIGGING SCPONLY SHELL ALREADY EXISTS! Don't get me wrong, I think this is AWESOME!!! I do find it weird that it's actually _called_ scponly too.

URL is: http://www.sublimation.org/scponly/

Moreover, this guy has been cranking at it for a while and not only has sftp going, but also has WinSCP support & chroot abilities. As tet would say, tres cool. And check it out, there's even another similar project:

http://pizzashack.org/rssh/

rssh explicitly states no BSD support [tell me how braindead that seems when it's meant to work with OpenSSH that was designed primarily on and for a BSD], but I guess it can be cobbled together to work. Not sure if the "real" scponly works, I've only downloaded and started poking so far [license is _almost_ BSD, but not - it'd be really nice if people stuck to standard license paradigms y'know?].

Anyway very exciting, I am going to have to play around with this a bit.

Blurted out my previous stuff in front of some others, and learned that I'm not in a vaccuum as jolan had already read my previous paper-jot, pedro seemed to think I should try to formalize it a bit as it sounds like an interesting idea. So, I'll do just that [which is one of the reasons I came back here].

Nice to see that one of the pieces might be a bit better fulfilled than I had conceived already though, and heck I didn't even lift a finger. I just wonder why the hell I never found it before [I swear that in my extensive googling in the past I must have tried scponly before]. Seriously, scponly, plus resume, plus maybe some more advanced file perms thingy would be super neato. Astalabyebye to FTP clingers-on for just a couple of features.

On a different note - there was a time [long ago] when I felt frustrated because I didn't have many interesting ideas to work on. Now that I seem to be having a few, I find it substantially more frustrating to have interesting ideas, and not be able to implement them. But hey, I'm working on it - now up to chapter 4 exercises in pcp; oh and pakuachang begins next week r0^r!!

Despite my best intentions, this might temporarily be a place for me to just get down some ideas short version of why is due to another imminent move; moving makes it hard to get one's network set up. Yet another reason for why I really need to do a colo somewhere decent. Of course that requires time & money to get organized with - and I will have neither until after the move. That said.

I had another brainstorm on scp&sftp resume support this morning. One pain in the ass problem with ftpd's & resume is that you need to give people overwrite permissions - but if this is say, an anonymous upload dropsite, you don't want some dick overwriting all your files. Since SCP/SFTP have a key exchange at the beginning though - and since everyone will have a different public key, then even though account-wise they'll all be anonymous, you _can_ actually distinguish between people who should be able to "overwrite" (really, resume) their files, and people who are just trying to be malicious and fuck with other people's stuff. So, if there's a match on the public key received, you say - "oh yeah, please finish uploading that file that got screwed," and if it's not you say - "sorry, you're not the droid we're looking for, try resuming your own files." I realize that this is a bit in the face of p2p crap - but I'm trying to think of security first; if this idea ever gets further than the idea stage, that would merely be default behaviour - a site admin could always override it allowing people to overwrite anyone's files, or you should be able to have granularity to do it file-by-file. One thing (might already be there for scp) is to do like a sha-1 of a file before xfer, and then have the remote end sha-1 it after completion to improve the likelihood of file integrity too. That's an older idea, and could maybe be done in other ways.

Some hangups - I spoke briefly with Niels the other day about resume support - and he said that theo had some gripe about adding it (some BS about malicious jazz - but hey, the ftp stuff in OpenBSD support resume, why should scp be so different in that functionality I wonder? Need to hear more details). Niels was going to bring it up again with markus, but I get the feeling that it might not happen. Or, if it does, not in an official OpenSSH branch (for now at least). Still really disheartening to see effects of the fallout even now, even though I'm just a user.

Meanwhile, this is really just a wishlist. I'm getting back into programming, but it's been ... like 9-10 years. My biggest frustration right now is that I have a -lot- of ideas, but no skills to actually know how to implement them. Still, I have to say that this year's CanSecWest & meeting jose & jsyn in person in particular was extremely inspirational. (Anecdotes at a later date perhaps).

--------------------------------------

Some other things I want to see out of SCP/SFTP server in the future:

- No need for a real shell [see earlier discussion]; ideally even have something like a chroot & fake 'accounts' akin to ftp4all - I don't want the users to have real access to the system at all, that way too you could have fs granularity like ftp4all that's beyond what the system sees, because it's handled more by .

- Resume support [discussed in greater detail above].

- Maybe intelligently set the dumpsite to a noexec partition, dunno if it would really help much; but something to peak into. Could also systrace everything to limit file creations strictly to a partition.

- Maybe _maybe_ put rate limiting support into the application [I know, this can be done in altq etc., but especially if this is aimed more at file xfers - you don't want it to interfere with your standard ssh or tunnelling priorities in all likelihood].

-------------------------------------------------------

Enough spew for now, I really need to get this stuff off advogato at a personal colo soonish.

Was at Networld+Interop last week. I am quite loathe towards trade shows. Highlight of the event was actually telling my idea for an inverse-KVM to Avocent & Startech. The fellows at the Startech booth eyes lit up and they said "That's a -really- good idea." Well, I knew that already - but hopefully they'll actually implement it.

My only hope is that if they do they'll offer up some sort of BSD licensed driver/software.

For those curious about what I'm talking about (not that I imagine many people are reading this). How many times have you wanted to plug into a headless machine but didn't want to lug around a monitor, keyboard and mouse? Note, if you are using a serial console this is a moot point (one reason why non-x86 stuff still has advantages in the server world for sure).

Anyway, you have a laptop, right? It's already got a video display, a keyboard and some kind of pointer (touchpad, trackpoint). Why not just use that? Long ago, I thought gee it'd be nice if a laptop just had an input mode [like the Fn-output key mode to display to a video projector]. That's not very universal though. Soooooo, better yet - make it a PCMCIA/Cardbus/Newcard/whatever card with a squid cable that extends to a VGA, PS/2 [or USB, or hell we could do other crap ass stuff like ADB or Sun]. Then you just interact with the headless machine using your laptop. So, inverse KVM is the best way of describing it.

It would be incredibly useful for any IT person, and I doubt it would even cost more than a few hundred. Pack in an option to have multiple different cable types [so you're not bound just to VGA/PS/2] and it would be super duper useful.

Like I said, the folks at the Startech booth actually seemed to -get- it, so hopefully they'll build it. As long as they kept me in the loop [just to let me know it had been made] maybe gave me some credit somewhere and released a BSD/MIT licensed driver I would be stoked.

2003-3-31 Finally posted the 2940UW to double-p. Unfortunately, I still have yet to find a new packing box for the us5 for henning (the one I used is too large to post internationally).

Jolan cleaned up a shell given to me from a classmate that might solve my anonymous scp hopes. Must check with the classmate to see if he'll let it go on a BSD license. More ideally would actually to find a way to write a replacement myself, since I could use the practice - and this shell will need some additional features to be useable with WinSCP [at the least, maybe Fugu would work better]. Also, my guess is that despite the similarities between scp & sftp - that sftp won't work with this workaround.

As far as whether this is actually secure... not sure. Ostensibly this could be bundled together with a stsh type doodad, thereby allowing for further locking with systrace. That might be the 'safest' way to try to get this to work, as it is a bit odd.

So, one more reason to try to write my own. Seems like I recall a friend in a class writing his own shells as an assignment long long ago, nowadays even google doesn't turn up resources [shell scripting != writing a shell].

Word, got my advogato password back after emailing raph; I created this account a while back and picked something I definitely wasn't going to remember (ah well).

I have fallen prey to my hardware donation addiction again, the marathon us5 firewall box I got for a $275 song I'm going to ship to henning as he can do more with a sparc64 development-wise than I can. At least this time it will be more straightforward than the nate & costa hardware donations, since I have the hardware in hand. Of course, afterwards I will no longer have any sparc64 arch of my own; but ebay seems to have some similar [if not better] items for about $300. Still, $600 or so in the hole after that to get me back to where I was before I offered this to henning. I keep telling myself to stop donating stuff to OpenBSD that I don't have for myself yet. Maybe someday.