Guus Bosman

software engineering manager

You are here

Links & Technology


Switching from Firefox to Chrome

Today I switched from Firefox to Chrome.

I've been using Firefox since the mid 2000's, when it came out to replace the bulky Mozilla suite. It's with some nostalgia that I'm making the switch, but I've ran into several bugs in Firefox that weren't getting resolved.

(While typing this, I did discover that Chrome does not have auto-recover for text areas, which is annoying but thankfully there is a browser extension Typio that helps).

The nail in the coffin was the release of Firefox Quantum last year, when they stopped supporting XUL plugins. I understand the rationale -- but it broke several important plugins, including all those for mass-password reset. In the six months since the switch there haven't been any new plugins written that allow me to change all my 100+ work logins at once.

Firefox also did not work when I was presenting something under WebEx. That might have been WebEx's problem -- but it's annoying enough since I screen-share at least once a day.

So here we are, in a brave new world,


Tech talk at Carnegie Mellon University in Pittsburgh

For our college recruitment I gave a tech talk at Carnegie Mellon University last week. It was fun talking with students. They were younger than I remember. It seems like my talk went over quite well, and at the end I gave them my three pieces of advice for looking for jobs: 1. Work where the firm makes its money, 2. Your supervisor is very important. When looking for a job, try to interview her/him as much as possible, 3. Do the hard things. In college: take the hard courses. At work: investigate the hard problems. Be the go-to-person.

The next morning I went for a run downtown, crossing all three rivers. Pittsburgh is a beautiful city.

I drove to Pittsburgh from Arlington -- about 4 hours clean driving time.


WOOT 2015

Monday and Tuesday I attended WOOT, a series of presentations on computer security attacks. It is part of the USENIX Security 2015 conference.

Two years ago I attended the same conference, and like two years ago, TLS and Android were favorite topics.

The keynote session by Adam Langley on TLS v1.3 was quite interesting. He also spoke about his practical experiences in disclosing vulnerabilities, and how difficult is is to 'manage' that process. He tried several approaches, including telling a small group of trusted companies first, only to be criticized by those outside of the "nice list". Later he tried to expand that circle but then the information started leaking out. His main conclusion was that there's just no good, clean, result you can expect.

I always like approaches like FLEXTLS. They created a framework that made it easy to test the state-machine in TLS. That way, the were able to systematically test which implementations allow the skipping of important steps. It ended up getting a price for the best paper at WOOT.

A presentation that stood out on the second day was about weaknesses in the routers provided by Dutch ISPs. They did some old-school reverse engineering to be able to crack the WPA2 passwords.

Very interesting new approach to attack is to abuse voice recognition.

During the lunches and breaks I spoke with several people. It was nice to meet Dr Lorenzo Cavallaro, the teacher of the online course I took a while ago.


404 error at Craigslist login

We've been cleaning up the basement and I put some things for sale on Craigslist. Every time I tried to log in to the site with Firefox, I'd get a 404 error. I have Internet Explorer installed for situations like these, but it's not ideal.

Tonight, I discovered the culprit: Craigslist really wants the referer header to be set. I had switched it off in Firefox a while ago (with network.http.sendRefererHeader = 0); switching it back on fixed things.


HTC One M8

After many years I said goodbye to Blackberry today. Yesterday the charging port of my Blackberry Storm 2 fell out of the phone.

Today I went to the Verizon reseller in the mall at my work and got the HTC One M8, an Android phone.

I am looking forward to installing apps I haven't been able to use, such as Waze, Uber and Anki SRS, and the phone has been nice to play with so far. My corporate email hasn't switched over yet, hopefully tomorrow.

It's been six years since my first smartphone, a BlackBerry Pearl.


A supervisor of programmers

Today I talked with man who used to be a supervisor of programmers at the Pentagon. He looked fit -- but he was 90 years old, born in 1923.

We were in the mall and Nora was eating a pear while I listened to his stories about the first mainframes ("we upgraded from 20,000 tubes to 40,000 tubes"). He had teams working in 3 shifts, to use the machines 24/7. He said with a smile: "I would get calls at 2.00 or 3.00 am. The problems always got resolved but I got an ulcer."

He mentioned that he created a detailed flowchart for a new office in New York, which showed the connection between the various machines: CPUs, card readers, tape units, printer etc. He said: "the diagram was 15 foot long, on thick brown paper. My boss wanted to show it off, to Congress, but when he unrolled it they just said: 'oh sure, that looks fine' and approved it".

It was special to talk with someone who shares my profession -- but who did so 30 years before I was born.

Nora had finished her pear, and the man's wife --just as spry-- came back from shopping and we said goodbye.


The IDA Pro Book

Chris Eagle

Inspired by the course I took on malicious software, I spent some more time learning about disassembling and analysis executables.

I used IDA Pro as editor and the IDA Pro Book was a great manual.

I was using a trial version of IDA Pro which does not allow you to save your work. But it does allow you to run macro's, so I created scripts like these that allowed me to persist my comments and observations:


static main() {	
	rename_safely(0x0804896E, "main");
	rename_safely(0x0804892E, "disable_ptrace");
	rename_safely(0x8048AD6, "exit_program");

English for work

LEET and WOOT '13

I attended two big workshops in DC this week: the ironically named "LEET" and "WOOT" workshops, organized by USENIX.

LEET: Large-Scale Exploits and Emergent Threats
LEET stands for Large-Scale Exploits and Emergent Threats and included 13 presentations on a broad range of talks, from DDoS to spam to phishing. I particularly enjoyed these three talks:

- Funny analysis of what low-end DDoS services ("booters") are typically used for (50% of the customers are gamers who want to bring down their enemies, typically in residential addresses). --
- These guys tried to find out which Botnet sinks are out there (and who is creating them). Sort of "hack the counter-hackers". --
- Insight from a security researcher who specializes in DDoS tools on recent developments. --

WOOT: Workshop on Offensive Technologies
The WOOT workshops on Tuesday were focused on offensive technologies. The emphasis at USENIX is more academic than at conferences like BlackHat or DEFCON and less on getting publicity which is nice. Still, there were some pretty scary results.

Here are my favorites:

- Very cool demo of a new DNS bind flaw against Chrome (overflowing the browser's 100-entry cache used for the defensive DNS pinning) -
- Solid presentation on how the researchers looked for (and found) "sign out" flaws by truncating TLS sessions. Affects GMail and Hotmail, among other things, and a distributed voting tool. Shows you that even if the theoretical framework is secure, the implementation might have flaws. --
- How to hack the ELF loader into doing calculations. Totally useless but very cool. --

These workshops were very interesting, and I'm currently attending the main part of the event: 3 more days of presentations. This conference has a relative large amount of downtime which is nice since it allows you to meet people.


Paper: From Throw-away Traffic to Bots: detecting the rise of DGA-based malware

Well-written paper that outlines the Pleiades system which tries detect infected computers by looking at DNS traffic at the network-level. Pleiades combines a cluster of failed DNS lookups (NXDOMAIN results) with a cluster of nodes that tried to resolve failed DNS names. It filters out "well-known" domain names and is able to achieve high detection rates with very low false positive rates. Pretty cool.

It was funny that the system also detected (and got confused by) Chrome's "DNS hijacking detection" feature.

I read the paper as part of an online course I'm taking, Malicious Software and its Underground Economy: Two Sides to Every Story.


Eventual Consistency Today: Limitations, Extensions, and Beyond

Interesting overview by Peter Bailis and Ali Ghodsi on what the current practices are in system architecture when dealing with eventual consistency of distributed data sources.

They discuss research that shows that eventual consistency is in practice often strongly consistent, and thus "good enough" for most practices.

The paper concludes with a short overview of research into pushing the limits of what is achievable with high availability.


Recent comments

Recently read

Books I've recently read: