Category Archives: Thoughts

Design Guidelines vs Pushing The Limits

One of the design guidelines of Jailer is don’t break FreeBSD. As in if someone installed and used Jailer, and then deleted the Jailer binary and libraries, their Jails would still run without any issues. We do this with minimal intervention, for example, jailer init patches FreeBSD’s /etc/rc.d/jail, but in a way that you wouldn’t feel the difference much. We don’t create new rc.conf variables, we just change couple of loops. In a way, you can keep these changes even if you delete Jailer so your system would be much improved. Obviously, we do sent these patches to FreeBSD src.

But I’m in front of an issue right now. On one side, I want to keep these guidelines, on the other, pushing the limit will allow me to improve Jailer way more than I expected.

These are the things that I think about before sleep, or during the shower. I gave a promise, that I will not break the Jail ecosystem. But what if, just what if, the ecosystem was broken in the first place?

Some of you might know, that we’ve been working on integrating libucl with Jail. The experiments have been going well, in such that I feel I want to integrate these experiments with Jailer already, even before they get into FreeBSD (and they might even not get in at all).

My dream of Jailer and its ecosystem is complex. I feel that these integration would do good on the long-term, but I want to keep the short term alive as well.

One idea is to fork Jailer, keep two versions of it. One version that’s FreeBSD compliant, and another one that is pushing the limits.

This is going to be an interesting week…

That’s all folks…

Reply via email.

Antranig Vartanian

March 14, 2023

It took me a while to realize this, but if you’re also working from home, these two tips might help you be more productive.

  1. When you start your work, make sure you’re dressed.
  2. Get a static working desk.

It seems so simple and rudimentary, right? It took me 6 months to realize this! Working from a desk fully clothed is a lot better than working in underwear in bed.

But I guess everyone is different. For me, this has been a huge productivity change 🙂

Reply via email.

Reply from National Vulnerability Database Team regarding Legacy Data Feeds

Couple of days ago when I was assisting a customer, I recommended that they follow the National Institute of Standards and Technology’s (a.k.a. NIST) Information Technology Laboratory’s Computer Security Division’s National Vulnerability Database’s (a.k.a. NVD a.k.a. that place that publishes the CVEs) data feeds. (Apologies for the bad intro)

So, these are RSS feeds that “contains the most recent CVE cyber vulnerabilities published within the NVD”

Unfortunately, I saw a notice at the top of the page, which got me really worried. It says

In September 2023, the NVD plans to retire all legacy data feeds while guiding any remaining data feed users to updated application-programming interfaces (APIs).

Usually, I’d panic and start ranting on my blog, but this is the NVD we’re talking about. They are a US government project that has been doing a lot of good and they are sponsored by the CISA, an agency that does many good things not just for US citizens, but citizens of our planet.

I started digging to understand what exactly is going to be retired and most importantly, why?

The NVD has made an amazing change timeline that has the following

The NVD plans to retire the RSS data feeds. The NVD plans to enable reCAPTCHA across all webpages and to retire webpages intended to support web scraping (e.g., Full Listings) before its APIs existed.

Okay, NOW I’m worried.

I’ll break this into two parts.

Why we need RSS feeds

You see, the internet relies on RSS, and I’m not just saying that because most of my audience uses RSS daily. The reason is much deeper than that.

As Dave Winer blogged a month ago

RSS is a thing like roadways and paths of rivers, they change very slowly. Think about qwerty keyboards. That’s what we’re talking about here. Agreements between products to interop. RSS is just like the gauge of rails, or always driving on one side of the street. A convention that makes progress possible. #

Scripting.com, Saturday, January 28, 2023

There are three products/protocols that I use daily, it’s Slack (for work), XMPP (for friends and family) and Telegram (for Armenian tech communities).

There are specific things that I should deliver for all these and that is messages, alerts, notices.

For my work, I should be able to get news if there’s a security issue on FreeBSD, because we use that. For friends and family I should deliver notices if there are any issues or upcoming maintenance to our servers. For my telegram communities I should update them if we’re having any new meetups, events, podcasts.

But, instead of writing a software that fetches, parses, analyzes and does something-something to these messages, I use RSS! FreeBSD has an RSS feed for Security Advisories. All I do in Slack is /feed subscribe https://www.freebsd.org/security/feed.xml and now, every time there an SA for FreeBSD, I get notified in Slack.

For friends and family? I have Huginn agent that parses RSS and send an XMPP message. For Armenian tech communities? I read a website’s RSS and a bot posts it in a group.

You get the idea.

RSS is all about “things working together”, there is no need to write a specific piece of for that specific thing.

And for years, I’ve relied on NVD’s RSS data feed to notify customers, tell them what to upgrade, if they need to upgrade and why to upgrade.

These RSS feeds are part of my professional life, a way for me, and people like me to know if we should be in panic mode or not.

So…

Okay, now what?

I believe in communication. I was very sure that my questions will be answered by the NVD, so I sent a message!

Greetings dear NVD team, NIST team and Computer Security Division,

While browsing your website, I have noticed the following change:

> In September 2023, the NVD plans to retire all legacy data feeds and the 1.0 APIs.

This became very disturbing, as many companies (including mine) rely on the data feed provided by NIST’s NVD.

I have two questions:
1) Is there *any* chance to keep the RSS feeds?
2) Is it okay if others (i.e. I) generate an RSS feed from your new API, if your final decision for q#1 is no?

[ . . . ]

If I may, that being said, I’m sure there’s a good reason, so my other question is:
What are/were the technical issues with RSS? Could it be bypassed or hacked around?

Thank you for all the work that you do, and thank in advance.

Kind regards,

I was right! They did answer all of my questions! I got a reply yesterday, here it is.

1) Is there *any* chance to keep the RSS feeds?

We have no plans to continue providing the RSS feeds located at
https://nvd.nist.gov/vuln/data-feeds#RSS
https://nvd.nist.gov/feeds/xml/cve/misc/nvd-rss.xml
https://nvd.nist.gov/feeds/xml/cve/misc/nvd-rss-analyzed.xml

Additionally, it is important to point out that per our announcement at https://nvd.nist.gov/general/news/change-timeline, the RSS feeds will be retired in March, not September. If you were not aware of these announcements we highly advice joining the NVD Google Group to stay better informed (https://groups.google.com/a/list.nist.gov/g/nvd-news).

2) Is it okay if others (i.e. I) generate an RSS feed from your new API, if your final decision for q#1 is no?

All NIST publications are available in the public domain. Organizations seeking to automate the retrieval of NVD data should use the NVD’s Application Programing Interfaces (APIs).
Services which utilize or access the NVD are asked to display the following notice prominently within the application: “This product uses data from the NVD API but is not endorsed or certified by the NVD.” You may use the NVD name to identify the source of the data. You may not use the NVD name, to imply endorsement of any product, service, or entity, not-for-profit, commercial or otherwise. For information on how to the cite the NVD, including the database’s Digital Object Identifier (DOI), please consult NIST’s Public Data Repository.

3) What are/were the technical issues with RSS? Could it be bypassed or hacked around?

The RSS feeds were considered to be overly simplistic and underutilized, they were determined in scope of retirement for these reasons as part of a larger effort to consolidate our output formats as we move towards the APIs. If you would like to submit a user story explaining the benefits and needs that the APIs currently do not meet we would pass that along to the development team for consideration in the future.

Okay. I agree! RSS is very simplistic, but that’s the point! it’s supposed to be simple. I mean, it’s simple enough that podcasts are RSS feeds.

And to be clear, I DID check the NVD’s new Vulnerabilities API, it’s awesome, it’s nice, it’s documented very well, kudos to the team, they did an amazing work, I’m sure it wasn’t easy. It has, for sure, more features than RSS could provide.

What to do about it?

I understand that the NVD is pushing the REST API, and I also understand why. But I really don’t want to write a “wrapper” for every service and technology that I use.

Here are my two questions.

  1. Will systems break because of this? Are you using these feeds? Do you rely on them for yourself or your organization?
  2. Will there be an interest by the InfoSec community to write a wrapper that generates a new RSS feed from NVDs new API?

Personally, if there’s an interest or not, I will be stopping everything I’m working on to create this NVD-to-RSS generator, as I very much rely on it. It will be open-source, obviously. What I should build is a drop-in replacement, where you change the feed URL, and everything works like before. (Well, I have to finish my other open-source commitments first, then I should work on this 😀 hopefully it wont take long.)

I would like to thank the NVD for keeping these feeds for all these years and congratulate them for their new APIs, I’m sure many good things will come out of these APIs.

And thank you for reading 🙂

That’s all folks…

Reply via email.

Antranig Vartanian

February 3, 2023

Turns out this is what happens when you leave me alone at a supermarket.

Basically I start playing with all the electronics I find.

I found this Barcode scanner with Windows 8 (for some reason) and the browser was open.

I was thinking of idling it at my Armenian blog, but I think this was better!

It’s showing the “Get Blogging!” website 🙂

That’s a all folks…

Reply via email.

“You try, you fail, you try, you fail, but the only true failure is when you stop trying.”

Madame Leota, Haunted Mansion

Reply via email.

DND IRL

What does modern macOS and old-school Instant Messaging systems (like AIM or Pidgin) have in common?

They both support “Status”, you know, that thing we had in IMs, where you can set yourself to “Do Not Disturb” and your avatar becomes red.

macOS, as always, does not call that “Status”, instead they call is “Focus”, but it gets the job done.

So yes, I’d like an IRL (In Real Life) version of DND (Do Not Disturb). Maybe my ears should turn red, but most people would confuse it with some other emotions.

That’s all folks…

Reply via email.

iOS ships Dvorak, finally

I’m a huge fan of the Dvorak keyboard layout, but if there’s one thing I love more than “Evolved vs Engineered” solution debates, is that nothing wins the ”standardized” debate.

That being said, the main reason I never moved to Dvorak properly was always a device not having a proper keyboard. Sometimes it was my Android phone with a weird ROM, but most of times it was my iPhone.

However, I just learned that Apple shipped the Dvorak layout with iOS 16.

Here’s Lilith‘s iPhone running iOS 15

And here’s my iPhone running iOS 16

And I’ve gotta say, it’s not bad at all

That’s all folks…

Reply via email.

The command command

According to the 2018 edition of The Open Group Base Specifications (Issue 7), there’s a command named command which executes commands.

Wait, macOS is OpenGroup UNIX 03 certified, right?

command running uname -a

I tried tracing back the history, macOS is mostly based on FreeBSD, as we can see in their open-source code.

So I started tracing back the FreeBSD code, and I found the current one.

I found the oldest commit about command in FreeBSD’s source tree, but it said

Import the 4.4BSD-Lite2 /bin/sh sources

builtins.def

So I opened up the SVN tree of CSRG, and there I found this

date and time created 91/03/07 20:24:04 by bostic

builtins.def

However, if I knew how to use SVNWeb, I’m pretty sure I’d navigate around the /old/sh directory.

It’s funny, how this line
# NOTE: bltincmd must come first!
Is both in the macOS code AND the CSRG code from 30 years ago.

That’s all folks…

Reply via email.