Profile

Cover photo
Kevin Lyda
Works at DERI
Attended SUNY at Buffalo
501 followers|126,906 views
AboutPostsPhotosVideos

Stream

 
Regarding https://tools.ietf.org/html/rfc6520 , isn't it a problem that the response must contain a copy of the data sent? Isn't that a possible attack vector?

From RFC 6520:
"""
When a HeartbeatRequest message is received and sending a HeartbeatResponse is not prohibited as described elsewhere in this document, the receiver MUST send a corresponding HeartbeatResponse message carrying an exact copy of the payload of the received HeartbeatRequest.
"""

For cryptanalysis, isn't knowing that the same text is being encrypted by the same key a useful thing to know? I'm not clear if TLS is using the same key to encrypt in each direction of course, but if it is this seems like a weakness.

Wouldn't a better response be one with the same length but with as much of the following as will fit: some sort of salted hash of the payload followed by random bytes.

+Loïc Guelorget +David Conran +Will Drewry
2
Kevin Lyda's profile photoGreg S's profile photoKeith Brady's profile photoDavid Conran's profile photo
4 comments
Greg S
 
I don't think the two directions are encrypted in the same session key. And the attacker doesn't even know where the heartbeat request is, though I suppose he could make a guess based on traffic analysis.
Add a comment...

Kevin Lyda

Shared publicly  - 
 
Debian packaging.

I have a set of autoconf-based projects which are mainly libraries (one has a binary) and I'd like to make package configs for them and check them in with the rest of the tree.  The git debian packaging tools generate loads of branches for this and then fling tools like quilt around like angry monkeys fling poo - with similar results.

I'm wondering if there might be a good example project that show what parts of the debian/ dir to commit.  And perhaps some nice, succinct directions how to build a package that start with "git clone blah" and end with "dpkg -i"
1
Andrew Stribblehill's profile photoJay Denebeim's profile photo
2 comments
 
There is.  I passed this by earlier today...  Anyway, I haven't done much with debian packaging, it's on my todo list.  RPMs though, by hand, autoconfig, ant, and maven, done them all.

Anyway, where I am going with this is, if you're doing CI, artifactory (pro) does RPMs in addition to jar files, I think the next version will do deb and gems.  And probably other stuff.

disclosure, I'm going to be starting at jfrog on the 21st.  That said one of the reasons they hired me is because I'm already a fan boy.

One more thought, if the command isn't git clone; autoreconf&&configure&&make you're doing it wrong ;-)
Add a comment...

Kevin Lyda

Shared publicly  - 
 
Has anyone I know tried this?  Does it work well?

https://github.com/Valloric/YouCompleteMe
1
John Tobin's profile photoCharles Ballowe's profile photoMaciej Bliziński's profile photoJakub Turski's profile photo
7 comments
 
ycm and syntastic play nicely together.
Add a comment...

Kevin Lyda

Shared publicly  - 
 
More info on the thing I shared earlier.
 
So this is interesting (to TCP geeks).

+John Looney noticed that:

    while true; do telnet localhost 50000; done

will eventually succeed in connecting (nothing's listening on port 50000), and, strangely, it connects to itself. What's happening is that the ephemeral port allocated for the socket source is actually accepting the connection, resulting in a self connect.

You can make this happen immediately by specifying a source port; eg:

        socat stdio TCP:localhost:50000,sourceport=50000

Even more interestingly; if you have two machines, and arrange matters so that each connects to the other using the other's source address as their target address, the connection is established. This can be shown using socat as follows:

    On machine A: while true; do socat stdio TCP:B:50000,sourceport=50001; done
    On machine B: while true; do socat stdio TCP:A:50001,sourceport=50000; done

(The loop retries until we manage to hit the narrow window between connection attempt and reset on each system; I typically see about 40-50 attempts before success.)

+Kevin Lyda and +Paul Jakma did some further investigation, and it looks like this is how the "simultaneous connection synchronisation" of TCP works - see figure 8 of RFC793. General opinion of the systems administration people I've shown this to is "WITCHCRAFT!"

Your Interesting Network Thing Of The Day.

For your next task: figure out how to make this into a connection-interception hack. Easiest to achieve on localhost due to the size of the address:port space, but still...
4
1
Sebastian Kirsch's profile photo
Add a comment...

Kevin Lyda

Shared publicly  - 
 
Part of my drive home the other day.
6
Trevor Schroeder's profile photoGreg S's profile photoOlivier Beyssac's profile photoMike Knell's profile photo
4 comments
 
LOOK OUT! YOU'RE ON THE WRONG SIDE OF THE ROAD!
Add a comment...
Have him in circles
501 people
Ian Kendall's profile photo
Thomas Bridge's profile photo
Pedro Colaco's profile photo
Colm MacCárthaigh's profile photo
Marcin Owsiany's profile photo
 
Javascript application frameworks.  I was looking at backbone, angularjs and ember, but honestly don't really have the background to assess them. Anyone played with them?
1
Chris Hokamp's profile photoJoe Desbonnet's profile photoMaciej Bliziński's profile photoJakub Turski's profile photo
8 comments
 
Ya, AngularJS does require a shift in thinking (similar to the mind-fk I experienced when moving from C to Java). One good tip I saw: when learning AngularJS don't include jQuery in your project. If you find yourself reaching for jQuery it probably means you're not doing it right.
Add a comment...

Kevin Lyda

Shared publicly  - 
1
Peter Radcliffe's profile photoKevin Lyda's profile photoJohn Tobin's profile photoSimon L. B. Nielsen's profile photo
Add a comment...

Kevin Lyda

Shared publicly  - 
 
Parsing!  OK, so there's lex and yacc, but what are other, newer options for C? (lex was first written in 1975...)

I'm currently looking at lemon and re2c. Any others people can recommend?
1
Kevin Lyda's profile photoColm Buckley's profile photoAmanda Walker's profile photoMaciej Bliziński's profile photo
8 comments
 
Yeah, for proto format, I'd just write your own for the parser, maybe use flex for the lexer.
Add a comment...

Kevin Lyda

Shared publicly  - 
 
OK, this is weird...

while :; do telnet 127.1 50001; done
2
Colm Buckley's profile photoGreg S's profile photoGabe Krabbe's profile photoMike Grice's profile photo
10 comments
 
Right so if you're connecting to 127.0.0.1:50000 to confirm that the daemon on port 50000 is up and running, there's a slight flaw in your test...
Add a comment...

Kevin Lyda

Shared publicly  - 
 
Obviously the amazing thing about this video is they filmed it when it wasn't raining...
14
1
Rossa O'Dowd's profile photoSarah Ní Riain's profile photoDusty Wilson's profile photo
2 comments
 
Miles better than the Dublin one! Miss Galway! 
Add a comment...
People
Have him in circles
501 people
Ian Kendall's profile photo
Thomas Bridge's profile photo
Pedro Colaco's profile photo
Colm MacCárthaigh's profile photo
Marcin Owsiany's profile photo
Work
Occupation
I type, therefore I am.
Employment
  • DERI
    Research Fellow, 2012 - present
  • Google Ireland
    SRE, 2006 - 2012
  • Corvil
    Software Engineer, 2005 - 2006
  • Doolin Technologies
    Lead Developer, 1999 - 2005
  • Trintech
    Software Engineer, 1998 - 1999
  • DreTech
    Software Engineer, 1998 - 1998
  • UniFi Communications
    Software Engineer, 1996 - 1998
  • Net Daemons Associates
    Systems Administrator, 1995 - 1996
  • MEDITECH
    Software Engineer, 1994 - 1995
  • SUNY at Buffalo School of Dental Medicine
    Scientific Programmer, 1992 - 1994
Basic Information
Gender
Male
Story
Introduction
Linux and politics geek.  Ex-pat Yank in Ireland.  Improv player.  Power tool equipped DIYer.  Slowly improving cyclist.
Bragging rights
I survived four winters in Buffalo, NY.
Education
  • SUNY at Buffalo
    BS in Computer Science, 1989 - 1992
  • Huntington High School
    Survival, 1985 - 1989
Links
YouTube
Contributor to