cURL and libcurl, Haxx, Open Source, Rockbox

Going to FOSDEM 2011

January 19, 2011 Daniel Stenberg 1 Comment

We’re going to FOSDEM again. This year we’ll ship over the entire company (all three of us) and we’ll join up with a few fellow Rockbox hackers and spend a weekend in Brussels among thousands of fellow free software and open source hackers.

During this conference, 5-6 February, I’ve submitted a libcurl-related talk to the embedded-room that wasn’t accepted into the regular program, but I’ve agreed to still prepare it and I then might get a slot in case someone gets sick or something. A bit ungrateful as now I still have to prepare my slides for the talk but there’s a big risk that I’ve done it in vain! I’ve also submitted a suggestion for a second talk in the opensc/security room (also related to stuff in the curl project) but as of now (with but 16 days left) that schedule is yet to be announced so I don’t know if I’ll do a talk there or not.

So, I might do no talks. I might do two. I just don’t know. We’ll see.

If you’re a friend of mine and you’re going to FOSDEM this year, please let me know and we can meet and have a chat or whatever. I love getting faces to all the names, nicks and email addresses I otherwise only see of many people.

Update: My talk in the security room is titled “libcurl: Supporting seven SSL libraries and one SSH library” and will start at 14:15 on Saturday the 5th of February.

Electronics, Network

NASed and RAID1ed

January 19, 2011 Daniel Stenberg

I finally got my act together and bought myself a Synology DS211j NASÂ with two 2TB drives. I’ll use it as a shared network disk at home and I intend to backup to it – as I also have a home office it’ll feel better to be able to also backup company related data somewhat more safely. My previous backup was only copying data from one HDD to another within the same physical machine.

To make it slightly more resistant to disk and hardware errors I’ve configured the disks to do RAID1 (all data is stored on both disks simultaneously).

The GPLv2 license was provided printed on paper in the package.

Network, Security, Technology

HTTP security, websockets and more

January 17, 2011 Daniel Stenberg 4 Comments

Together with friends in OWASP I’m happy to mention that we will do an event on January 31st on the topic “HTTP security, websockets and more” where I’ll talk. Starting at 17:30, the exact location is not decided yet and it’ll depend a bit on popularity, but it will be in Stockholm, Sweden.

The two other speakers to appear at the event are, apart from myself, John Wilander and Martin Holst-Swende. My part of the session will be about the WebSockets protocol, about the upcoming cookie RFC and some bits about the ongoing HTTPbis work.

Omegapoint will sponsor with something to eat and drink, and we do plan to go out and grab a beer afterwards and continue the discussion.

See you!

Uncategorized

Palindrome Date + Time

January 10, 2011 Daniel Stenberg 1 Comment

Right, 2011 is just as great as 2010 was for date strings that are the same when read backwards. Today the 10th of January 2011 at 11:02 we celebrate one of them:

201101101102

We have a few more this year to look forward to in October and November: 201110011102 and 201111111102…

Technology

And another printer died on me

January 7, 2011 Daniel Stenberg 5 Comments

My printer is dead.

I got myself this HP C6180 all-in-one thing a little over three years ago and it was a good and fine printer, scanner and copier. I’ve had great use for it and it worked fine under Linux too.

Things started to decline

My problems with this printer basically started like a year ago or so when my wife’s laptop running Windows Vista suddenly decided to automatically uninstall the printer drivers. Every now and then it decides to remove the printer and I re-install it. Repeat. It gets a little boring after a while and I’ve failed to locate the reason or address the actual problem. We just re-install the driver often.

When that started happening, the HP software package for using the scanner functionality stopped working. Even if I uninstall everything and re-install etc, it just refuses to work. Possibly I could try using some other tools for scanning but since I mostly scan for my work purposes I can just as well do that from one of my computers (as opposed to my wife’s) and they run Linux and they don’t have this scanner problem.

The final blow

I scanned a paper for work (which turned to be the last useful thing I could ever do with it) and then I decided to print a short document to accompany a few receipts I had to send to the company handling Haxx‘s economy. I wrote it up in Open Office and pressed print. My home office is upstairs while the printer is downstairs so I didn’t check the printout immediately. After a while I walked down to put the paper into the envelope and notice there was no paper there. The printer had gone into a loop were it obviously powers on, starts a while (the little LCD on it starts up and shows some animation) and then it powers off and goes back on again.

First Aid

I yanked all the cables, cancelled the printer jobs from my computer, inserted the power cable again only to see the power cycle start again.

Sigh. I googled “HP c6180 reset” and landed on this great page which describes several ways that people have successfully used to hard reset their printers of exactly my model. I tried them all. Patiently one by one (including pressing 6 + #, 6 + * and OK + help when inserting the power cable). None of them made any impact, the device is still going in the power loops. As the printer is over three years old there’s no warranty or anything, and comments all over clearly indicate that HP charges for repairs of this kind of problem.

I can’t but to still have a feeling that this might be software related and then there should be some kind of master reset somewhere that would bring it back to some initial state. I just can’t find any…

Sorry dude, it’s gone

A few comments I’ve found indicate that this problem has been seen on devices with failed capacitors and there’s even a nice picture showing exactly which with a description of how to proceed to replace them. I’m just crappy with soldering and fiddling on that HW level and it’s not like I would be even close to have those spare parts.

There was nothing I could do. The poor thing is not possible to reach anymore we have to put it out of its misery!

Replacement system

Ok, I still had to mail my physical mail with receipts away so I had to pull out my backup system for emergencies like this. It is a very sophisticated concept divided into many separate yellow pieces and I’ll you show you a picture of one of them here on the left.

So the process of finding and getting a new printer/scanner has begun… I use it rather often so I’ll probably go quickly and pick something similar to what just died here.

Electronics, Rockbox

Rockbox seen on iPod Classic

January 4, 2011 Daniel Stenberg 6 Comments

After a very long time of work, a very very long time since these devices were introduced on the mp3 player market, the hard working guys from freemyipod.org have produced something on yet another device. This is the same group that previously was called linux4nano and worked so long andÂ fiercelyÂ to get code running on the 2nd generation iPod Nano and the 4th generation iPod Nano.

At the end of December 2010, Michael “TheSeven” Sparmann announced that he was running custom code including music playback on the iPod Classic. The (sometimes) so called 6th generation.

Robert Menes spiced up the story today by showing us a live picture of a Classic device that now actually is running Rockbox:

Awesome work Michael, truly impressive. I hope a lot of Classic owners soon will be able to try out Rockbox for real. Rockbox is said to not yet be very stable or functional, so there’s a lot of room for more hackers and developers to join in and help us improve!

Network, Web

WebSockets now: handshake and masking

January 4, 2011 Daniel Stenberg

In August 2010 I blogged about the WebSockets state at the time. In some aspects nothing has changed, and in some other aspects a lot has changed. There’s still no WebSockets specification that approaches consensus (remember theÂ 4 weeks plan from July?).

Handshaking this or that way

We’ve been reading an endless debate through the last couple of months on how the handshake should be made and how to avoid that stupidÂ intermediariesÂ might get tricked by HTTP-looking websocket traffic. In the midst of that storm, a team of people posted the paper Transparent Proxies: Threat or Menace? which argued that HTTP+Upgrade would be insecure and that CONNECT should be used (Abarth’s early draft of the CONNECT handshake).

CONNECT to the server is not kosher HTTP and is not being appreciated by several people – CONNECT is meant to get sent to proxies and proxies are explicitly setup to a client.

The idea to use a separate and dedicated port is of course brought up every now and then but is mostly not considered. Most people seem to want this protocol to go over the “web” ports 80 and 443 and thus to be able to share the proxy environment used for HTTP.

Currently it seems as if we’re back to a HTTP+Upgrade handshake.

Masking the traffic

A lot of people also questioned the very binary outcome of the Transparet Proxies report mentioned above, and later on it seems the consensus that by “masking” WebSocket traffic it should be possible to avoid the risk that stupid intermediaries misinterpret the traffic as HTTP. The masking is currently being discussed to be XOR with a frame-specific key, so that a typical stream will change key multiple times but is still easy for a WebSocket-aware tool (say Wireshark and similar) to “demask” on purpose.

The last few weeks have been spent on discussing how the masking is done, if it is to become optional and if the masking should include the framing or not.

This is an open process

I’m not sure I’ve stressed this properly before: IETF is an open organization. Anyone can join in and share their views and opinions, but of course you need to argue technical merits.

cURL and libcurl, Mail

“Hacking me”

December 23, 2010 Daniel Stenberg 2 Comments

If you ever wonder how clever it was of me to make an FTP tool that used the default anonymous password curl_by_daniel@... once upon a time and you want to know why I changed that to ftp@example.com instead? Here’s a golden snippet to just absorb and enjoy:

Date: Thu, 23 Dec 2010 22:56:00
From: iHack3r <hidden>
To: info@[my company]
Subject: Hacking me

To the idiot named Daniel, Please stop brute force attacking my FTP client. I do not appreciate it, i have an anonymous account set up for the general public to access my files that i want them to access, QUIT trying to hack the admin because 1. DISABLED unless i am leaving to go somewhere without my computer 2: THE PASSWORD is random letters and numbers.

-iHack3r

The password was changed at Feb 13 2007 in curl version 7.16.2, but there are a surprisingly large amount of older curls still around out there…

Update: as the person responded again after having read this blog post and still didn’t get it, I felt the urge to speak up in even more clear terms:

I didn’t have anything to do with any “hacker attack” on any site. Not yours, and not anyone else’s. The fact that almost-my-email address appeared in your logs is because I wrote the FTP client. It is a general FTP client that is being used by a very very large amount of people all over the world. If I ever would attack a site, why on earth would I send along my real name or email address?

cURL and libcurl, Network

Byte ranges for FTP

December 20, 2010 Daniel Stenberg

In the IETF ftpext2 working group there have been some talks around clients’ and servers’ ability to do and support “ranged” file transfers, that is transferring only a piece of any given file. FTP supports the REST command and has done so since the dawn of man (RFC765 – June 1980), and using that command, a client can set the starting point for a transfer but there is no way to set the end point. HTTP has supported the Range: header since the first HTTP 1.1 spec back in January 1997, and that supports both a start and an end point. The HTTP header does in fact support multiple ranges within the same header, but let’s not overdo it here!

Currently, to avoid getting an entire file a client would simply close the data connection when it has got all the data it wants. The unfortunate reality is that some servers don’t notice clients doing this, so in order for this to work reliably a client also has to send ABOR, and after this command has been sent there is no way for the client to reliably figure out the state of the control connection so it has to get closed as well (which is crap in case more files are to be transferred to or from the same host). It primarily becomes unreliable because when ABOR is sent, the client gets one or two responses back due to a race condition between the closing and the actual end of transfer etc, and it isn’t possible to tell exactly how to continue.

A solution for the future is being worked on. I’ve joined up the effort to write a spec that will suggest a new FTP command that sets the end point for a transfer in the same vein REST sets the start point. For the moment, we’ve named our suggested command RANG (as short for range). “We” in this context means Tatsuhiro Tsujikawa, Anthony Bryan and myself but we of course hope to get further valuable feedback by the great ftpext2 people.

There already are use cases that want range request for FTP. The people behind metalinks for example want to download the same file from many servers, and then it makes sense to be able to download little pieces from different sources.

The people who found the libcurl bugs I linked to above use libcurl as part of the Fedora/Redhat installer Anaconda, and if I understand things right they use this feature to just get the beginning of some files to check them out and avoid having to download the full file before it knows it truly wants it. Thus it saves lots of bandwidth.

In short, the use-cases for ranged FTP retrievals are quite likely pretty much the same ones as they are for HTTP!

The first RANG draft is now available.

Linux, Network

Add latency to localhost

December 14, 2010 Daniel Stenberg 15 Comments

Pádraig Brady taught me a great trick in a comment to a previous blog post and it was so neat I feel a need to highlight it further as it also makes it easier for me to find it again later!

To simulate a far away server, add RTT time to the localhost device. For example if we add 100 milliseconds (which then makes 200ms ping time to localhost):

$ tc qdisc add dev lo root handle 1:0 netem delay 100msec

Restore it back to normal again with:

$ tc qdisc del dev lo root

tc qdisc add dev lo root handle 1:0 netem delay 100msec