Kebe Says - Dan McDonald's Blog

It's story time, and still Boxing Day in some parts of the US.

Recent rumblings about treating your customers right, why some folks don't, and the subtle slope between happy customers and captured customers remind me of one of my favorite hole-in-the-wall restaurant employees, Phil. He loves his customers: even the ones who ask for off-menu items, even the ones can't properly describe what they really want, and especially the ones who likes what he cooks and tells their friends about it.

I won't name this hole-in-the-wall, because it's a front for some flavor of organized crime. I'm not sure what crime syndicate it is, and whenever I ask Phil he gets really sheepish about it. Still, the food is good, and Phil is proud of what he and his small staff cook. The most recent time I asked about the owners, however, he told me about how chefs often work at establishments with ties of some sort to organized crime. He then went on a bit longer.

Phil started in by telling me he used to be an excellent pastry chef for a one-Michelin-star restaurant. Its owners used it to launder money from their more nefarious operations, but kept their laundering businesses as clean as possible to avoid IRS or other law-enforcement scrutiny. You don't get a Michelin star without having very happy customers. The restaurant had incredible wait staff, bussing that was simultaneously invisible and highly responsive, and cuisine from world-class chefs. The restaurant management and staff also believed firmly it could get even better, adding a second star perhaps, through an assortment of ways. They were highly motivated to try new foods, new recipes, and new dining experiences. Phil noted that not long after he joined, they doubled the restaurant size with minimal disrutption to the dining environment. He noted he designed his pastry station to fit nicely into either the expanded kitchen, or the original smaller one. They replaced a wall with a glass pane that allowed folks to see the chefs at work.

Phil's chocolate crinkle cookies, listed on the menu as Knockout Cookies, were his most famous pastry. He and his staff developed them to test the pastry station's capabilities, and they were yummy. Soon the other chefs and the staff started eating them. Some of the staff had friends at other restaurants, and so the Knockout Cookies would sometimes be eaten behind closed doors at other restaurants. Any new staff that showed up at Phil's old restaurant would be asked to try a Knockout Cookie, and they usually liked it enough to take some home with them. Phil thought maybe Knockout Cookies could be sold to other restaurants, the way the donut chain AnyDonut did with their donuts.

Many more such projects were in the middle of being planned or tested when the nearly-absentee owners found themselves unwittingly in a turf war against a more dangerous syndicate, which they lost. All of the protection rackets, illicit activities, and money-laundering businesses became part of this new, more dangerous, syndicate.

The new owners of the ONE-MICHELIN-STAR restaurant wanted to cut costs, because more money could be laundered that way. This cost-cutting plan irrtated the staff and more than a few quit immediately or not very long after the turf war ended. Those that stayed behind either fell in with the new syndicate, or naively thought that as long as money was being laundered, they could continue with their new cuisine, recipes, or dining experiences. As if to dispel such notions, the new syndicate even spray-painted the glass pane red!

Another one of the cost-cutting measures was to reduce the in-house pastry selection. The Knockout Cookies, in spite of their devoted fans, were eliminated. Adding insult to injury for Phil, the restaurant started outsourcing chocolate cookies from AnyDonut. Phil was pissed, and scribbled on all of the menus: crossing out Knockout Cookies and writing AnyDonut Chcolate Cookies. This earned him and the pastry staff a meeting with a remaining manager, nose brown with sucking up to the new syndicate. The new manager even threatened a visit from an underboss.

Not long after that half the pastry staff quit, including Phil. It took him way too long to figure out what had happened while he wandered around for any cook or chef job he could find. Turns out AnyDonut was not only a supplier, but they were ALSO a protection-money payer. It was likely more profitable to use AnyDonut since they were paying protection money anyway, and the new syndicate had no interested in self-sabotaging their protection money.

Phil finished, shook his head, and said, "It didn't take long to lose the star." He then slipped me a Knockout Cookie, gratis, and whispered, "I still bake and eat 'em at home."

...

(Inspired by BDHA's parable.)

Comments? Engage me at...

• BSky
• Fedi
• FB

A Gentle Reminder About illumos

A very bad security vulnerability in Solaris was patched-and-announced by Oracle earlier this week. Turns out, we in open-source-descendant illumos had something in the same neighborhood. We can’t confirm it’s the same bug because reverse-engineering Oracle Solaris is off the table.

In general if a vulnerability is an old one in Solaris, there’s a good chance it’s also in illumos. Alex Wilson said it best in this recent tweet:

@anthomsec Hi! re: 2020-14871 (Solaris PAM bug), do you know if this was in the OpenSolaris PAM that went into illumos (https://t.co/Rxs5ct09xs) by any chance? We don't get any info via Oracle, but we do inherit their bugs if they're old enough :(

— Alex Wilson (@arekinath) October 22, 2020

If you want to see the full history, the first 11 minutes of my talk from 2016’s FOSDEM contains WHY a sufficiently old vulnerability in Solaris 10 and even Solaris 11 may also be in illumos.

Remember folks, Solaris is closed-source under Oracle, even though it used to be open-source during the last years of Sun’s existence. illumos is open-source, related, but NOT the same as Solaris anymore. Another suggested talk covers this rather well, especially if you start at the right part.

The Actual Request

Because of this history and shared heritage, if you’re a security researcher, PLEASE make sure you find one of many illumos distributions, install it, and try your proof-of-concept on that as well. If you find the same vulnerability in illumos, please report it to us via the security@illumos.org mailing alias. We have a PGP key too!

Thank you, and please test your Solaris exploits on illumos too (and vice-versa).

David Reed passed along a pointer to this paper by Dan Geer:

A Time for Choosing

Please read it, and understand the founding spirit of the Internet. And with that, I say goodbye to Oracle.

15 years ago I was finishing up last-minute changes at NRL while getting ready to move coasts. While I'm not moving coasts, I'm at the point where I'm finishing up last-minute changes again.

I'm leaving Oracle this week, and will be trying something a bit different after that. I've been doing IPsec or at least TCP/IP related work for the entirety of my time at Sun. I expect to be back in TCP/IP-land relatively soon, but I will be learning some new-to-me technologies in the immediate future.

I've met and worked with some extraordinary people during my time at Sun. I hope to keep in touch with them after I depart. If any of you half-dozen readers wish to keep up, I'd suggest following my Twitter feed until I decide whether or not I find a new home for this blog. I'm also findable on Facebook and LinkedIn for those so inclined.

In all honesty, I'm glad this regulatory dance is over. We've all been having a little itch in our brains about this. Even if any of us have had real work to do, we've been at least a little distracted by by this whole acquisition uncertainty.

Well, we're finally part of Oracle now, and I think that's pretty cool. Larry E. wants to butt heads with IBM and HP directly, and quite honestly, we at Sun have been doing that on-and-off for at least my not-quite-14-years here. Now that this uncertainty has been removed, we can at least narrow the uncertainty to any internal-to-Oracle decisions, which given certain statements both in the past and yesterday seem pretty encouraging, at least from my engineering perspective.

Jonathan said we should light a candle for Sun. As a prank gift for my 40th birthday, I got a 40-ounce bottle of Olde English. I think instead I will pour that 40 for Sun.

Hello again. Pardon any latency. This whole Oracle thing has been a bit distracting. Never mind figuring out the hard way what limitations there are on racoon2 and what to do about them.

Anyway, Solaris 10 Update 7 (aka. 5/09) is now out. It contains a few new IPsec features that have been in OpenSolaris for a bit. They include:

• HMAC-SHA-2 support per RFC 4868 in all three sizes (SHA-256, SHA-384, and SHA-512) for IPsec and IKE.
• 2048-bit (group 14), 3072-bit (group 15), and 4096-bit (group 16) Diffie-Hellman groups for IKE. (NOTE: Be careful running 3072 or 4096 bit on Niagara 1 hardware, see here for why. Niagara 2 works better, but not optimally, with those two groups.
• IKE Dead Peer Detection
• SMF Management of IPsec. Four new services split out from network/initial:
  • svc:/network/ipsec/ipsecalgs:default -- Sets up IPsec kernel algorithm mappings.
  • svc:/network/ipsec/policy:default -- Sets up the IPsec SPD (reads /etc/inet/ipsecinit.conf).
  • svc:/network/ipsec/manual-key:default -- Reads any manually-added SAs (reads /etc/inet/secret/ipseckeys).
  • svc:/network/ipsec/ike:default -- Controls the IKE daemon.
• The UDP_NAT_T_ENDPOINT socket option from OpenSolaris, so you can develop your own NAT-Traversing IPsec key management apps without relying on in.iked.

We've even more goodies in OpenSolaris, BTW.