Author Archives: Mahmoud Al-Qudsi

SecureStore 0.100: KISS, git-versioned secrets management for rust

Posted on by Mahmoud Al-Qudsi
Reply

A few days ago, we published a new version of both the securestore library/crate and the ssclient CLI used to create, manage, and retrieve secrets from SecureStore vaults, an open and cross-language protocol for KISS secrets management. SecureStore vaults provide a more secure and far more reliable solution to storing secrets in environment variables and a simpler and less error prone alternative to network-based secrets management solutions, and make setting up development environments a breeze.

For some background, the SecureStore protocol (first published in 2017) is an open specification and cross-language library/frontend for securely storing encrypted secrets versioned in git, alongside your code. We have implementations available in rust (crate, cli) and for C#/.NET (api and cli, nuget) and the specification is purposely designed to be both easy-to-use and easy-to-port to other languages or frameworks.

This is the first update with (minor) breaking changes to the securestore public api, although pains have been taken to ensure that most common workflows won’t break. The changes are primarily to improve ergonomics when retrieving secrets from rust, and come with completely rewritten docs and READMEs (for the project, the lib, and the cli).

Continue reading

C# file size formatting library PrettySize 3.1 released

Posted on by Mahmoud Al-Qudsi
Reply

PrettySizeHot on the heels of an update to our rust port of PrettySize we have a new release of PrettySize.NET that brings new features and capabilities to the best .NET library for formatting file sizes for human-readable output and display.

PrettySize 3.1, available on GitHub and via Nuget, has just been released and contains a number of improvements and requested features and newfound abilities to make handling file sizes (and not just formatting them) easier and more enjoyable.

Continue reading

PrettySize 0.3 release and a weakness in rust’s type system

Posted on by Mahmoud Al-Qudsi
2

PrettySizeI’m happy to announce that a new version of size, the PrettySize.NET port for rust, has been released and includes a number of highly requested features and improvements.

The last major release of the size crate was 0.1.2, released in December of 2018. It was feature complete with regards to its original purpose: the (automatic) textual formatting of file sizes for human-readable printing/display purposes. It would automatically take a file size, pick the appropriate unit (KB, MB, GB, etc) to display the final result in, and choose a suitable precision for the floating numeric component. It had support for both base-10 (KB, MB, GB, etc) and base-2 (KiB, MiB, GiB, etc) types, and the user could choose between them as well as override how the unit was formatted. In short, it did one thing and did it right.

Continue reading

CVE-2022-23968: Xerox vulnerability allows unauthenticated users to remotely brick network printers (UPDATED)

Posted on by Mahmoud Al-Qudsi
Reply

In the world of network security, it pays to always remember that many (if not most!) security bugs start off their lives as seemingly innocuous “regular” bugs, and it’s only by diligently considering how aberrant behavior – say, incorrect results returned for particular inputs or a mere “stability issue” that turns out to actually be a use-after-free causing the observed crashes – could be abused by determined malicious actors that the underlying security implications become obvious. This has great benefits: for instance, it can be argued that it wasn’t until Microsoft started taking BSoDs that could be triggered by unprivileged users seriously, recognizing them for the open backdoors most of them were, that Windows actually became usably stable.

Of course, then there are the bugs that have such blatantly obvious security implications that it would be hard to qualify them as wolves in sheep’s clothing. Someone encountering such a bug, even if not particularly security-minded, would be forced to immediately recognize the risk they pose even if only because they have to deal with its consequences. This post is about such a security bug that I encountered in the same vein as many others in the past: simply trying to do something completely unrelated and running into a vulnerability that made the task at hand that much harder.

Continue reading

Microsoft bids adieu to Windows Phone in new emoji

Posted on by Mahmoud Al-Qudsi
2

Windows 11 is here and it comes with a new version of Segoe UI Emoji, the font that’s used across the OS to render various emoji from Unicode codepoint sequences to the emoji you see on screen (developers: use Unicode.NET for your emoji needs!). With it, a number of emoji icons have been upgraded to a new look: some to mirror the connotations and semantics of other emoji fonts, others to be less disparaging. But there’s a less welcome surprise too, for those four… maybe five? of us that still remember the ill-fated Windows Phone fondly.

Continue reading

Using SIMD acceleration in rust to create the world’s fastest tac

Posted on by Mahmoud Al-Qudsi
Reply

NeoSmart Technologies’ open source (MIT-licensed), cross-platform tac (written in rust) has been updated to version 2.0 (GitHub link). This is a major release with enormous performance improvements under-the-hood, primarily featuring handwritten SIMD acceleration of the core logic that allows it to process input up to three times faster than its GNU Coreutils counterpart. (For those that aren’t familiar with it, tac is a command-line utility to reverse the contents of a file.)

This release has been a long time in the making. I had the initial idea of utilizing vectorized instructions to speed up the core line ending search logic during the initial development of tac in 2017, but was put off by the complete lack of stabilized SIMD support in rust at the time. In 2019, after attempting to process a few log files – each of which were over 100 GiB – I decided to revisit the subject and implemented a proof-of-concept shortly thereafter… and that’s when things stalled for a number of reasons.

Continue reading

Regarding Twitter’s “new login from unknown device” alerts…

Posted on by Mahmoud Al-Qudsi
7

One nice thing that’s come about from the increased scrutiny that online security has been receiving is that it’s gone from being considered paranoid to becoming completely expected to be notified regarding incidents such as new logins, password changes, failed 2FA attempts, and other security-related activity. But any time a metric gets noticed, it also gets gamified and either decreases in value or ceases to be relevant altogether – a principal first documented by British economist Charles Goodhart and now known as Goodhart’s Law and demonstrated in this wonderful Sketch Plantations depiction:

Continue reading

AsyncLock 3.0 for .NET 5.0 Released

Posted on by Mahmoud Al-Qudsi
2

An updated version of AsyncLock has just been released on GitHub and Nuget with improved support for reentrancy detection.

AsyncLock is a async/await-native anonymous lock for .NET and .NET Core that allows safely using async/await while holding a lock, for example:

Continue reading

Multi-touch gestures with native touchpad drivers on Linux

Posted on by Mahmoud Al-Qudsi
5

Perhaps one of the biggest difficulties in setting up a Linux system for desktop/home use is the fragmentation of the ecosystem, with many different options claiming to get you from point a to somewhere in the vicinity of point b, each with their subtle differences (and at least a few “gotchas” along the way). An easy example: in 2020, you’d think there would be an easy answer to getting a trackpad/touchpad up and running with support for multi-touch gestures at least on par with the experience on Windows and macOS – after all, it’s been 12 years since Apple made multi-touch popular with 2008 MacBook Air.

Continue reading

Scripting in rust with self-interpreting source code

Posted on by Mahmoud Al-Qudsi
11

I have a soft spot in my heart for rust and a passionate distrust (that has slowly turned into hatred) for interpreted, loosely typed languages, but it’s hard to deny the convenience of being able to bang out a bash script you can literally just write and run without having to deal with the edit-compile-run loop, let alone create a new project, worry about whether or not you’re going to check it into version control, and everything else that somehow tends to go hand-in-hand with modern strongly typed languages.

A nifty but scarcely known rust feature is that the language parser will ignore a shebang at the start of the source code file, meaning you can install an interpreter that will compile and run your rust code when you execute the .rs file – without losing the ability to compile it normally. cargo-script is one such interpreter, meaning you can cargo install cargo-script then execute your source code (after making it executable, :! chmod +x %) with something like this:

Continue reading