the three taps of doom

Jul 3, 2021
A few years ago, I worked as the CTO of an advertising startup. At first, we used Skype for messaging amongst the employees, and then later, we switched to Slack. The main reason for switching to Slack was because they had an IRC gateway – you could connect to a Slack workspace with an IRC client, which allowed for the people who wanted to use IRC to do so, while providing a polished experience for those who were unfamiliar with IRC.

Bits relating to Alpine security initiatives in June

Jul 1, 2021
As usual, I have been hard at work on various security initiatives in Alpine the past month. Here is what I have been up to: Alpine 3.14 release and remediation efforts in general Alpine 3.14.0 was released on June 15, with the lowest unpatched vulnerability count of any release in the past several years.

understanding thread stack sizes and how alpine is different

Jun 25, 2021
From time to time, somebody reports a bug to some project about their program crashing on Alpine. Usually, one of two things happens: the developer doesn’t care and doesn’t fix the issue, because it works under GNU/Linux, or the developer fixes their program to behave correctly only for the Alpine case, and it remains silently broken on other platforms.

the end of freenode

Jun 14, 2021
My first experience with IRC was in 1999. I was in middle school, and a friend of mine ordered a Slackware CD from Walnut Creek CDROM. This was Slackware 3.4, and contained the GNOME 1.x desktop environment on the disc, which came with the BitchX IRC client. At first, I didn’t really know what BitchX was, I just thought it was a cool program that displayed random ascii art, and then tried to connect to various servers.

the vulnerability remediation lifecycle of Alpine containers

Jun 8, 2021
Anybody who has the responsibility of maintaining a cluster of systems knows about the vulnerability remediation lifecycle: vulnerabilities are discovered, disclosed to vendors, mitigated by vendors and then consumers deploy the mitigations as they update their systems. In the proprietary software world, the deployment phase is colloquially known as Patch Tuesday, because many vendors release patches on the second and fourth Tuesday of each month.

actually, BSD kqueue is a mountain of technical debt

Jun 6, 2021
A side effect of the whole freenode kerfluffle is that I’ve been looking at IRCD again. IRC, is of course a very weird and interesting place, and the smaller community of people who run IRCDs are largely weirder and even more interesting. However, in that community of IRCD administrators there happens to be a few incorrect systems programming opinions that have been cargo culted around for years.

A slightly-delayed monthly status update

Jun 4, 2021
A few weeks ago, I announced the creation of a security response team for Alpine, of which I am presently the chair. Since then, the team has been fully chartered by both the previous Alpine core team, and the new Alpine council, and we have gotten a few members on board working on security issues in Alpine.

the whole freenode kerfluffle

May 20, 2021
But the thing is IRC has always been a glorious thing. The infra has always been sponsored by companies or people. But the great thing about IRC is you can always vote and let the networks and world know which you choose - by using /server. — Andrew Lee (rasengan), chairman of freenode limited

AlpineConf 2021 recap

May 18, 2021
Last weekend was AlpineConf, the first one ever. We held it as a virtual event, and over 700 participants came and went during the weekend. Although there were many things we learned up to and during the conference that could be improved, I think that the first AlpineConf was a great success!

using qemu-user emulation to reverse engineer binaries

May 5, 2021
QEMU is primarily known as the software which provides full system emulation under Linux’s KVM. Also, it can be used without KVM to do full emulation of machines from the hardware level up. Finally, there is qemu-user, which allows for emulation of individual programs. That’s what this blog post is about.