Mechanical Advantage

New rims¹ on my little bug-eyed baby, because one of those that came with it was bent (not noticeable to the naked eye—I only found out when I went to have them rebalanced). I also removed the spacers that a previous owner had mounted on the rear wheels. This made a world of difference. The ride is much smoother, and the car now absorbs bumps and potholes firmly instead of crashing over them.

This is basic physics. Spacers increase the mechanical advantage of the wishbone² and necessitate upgraded springs and shocks, whereas this car came fitted with aftermarket shortened springs and adjustable shocks which seem to be set to the firmest setting (I can’t easily check because the adjustment knobs are missing). I also think lateral stability improved a bit, but I’m still not entirely satisfied. However, I’ve already blown over £1,000³ on parts, so new tires will have to wait.

I also replaced the PCV valve and grommet in the hopes that it would ameliorate the idle speed issues, but it didn’t. I will probably have to refurbish the ISC valve and / or the air valve; my guess is that some of the moving parts in the air valve stick when cold. The new PCV valve and grommet should however stop aerosolized engine oil from spraying all over the camshaft cover and inlet manifold.

Next project for a rainy day: clean and polish the camshaft cover and replace the leaky gasket.

These are the downsides to buying a 22-year-old sports car whose previous owners thought they knew what they were doing…

¹ Martins Image Arctis 7″×16″; it’s hard to find sporty rims in that dimension. I have a set of the relatively rare love-’em-or-hate-’em stock Mazda 14″ “daisy wheel” rims, but they need sanding and respraying, and the hubcaps are missing. I might just PlastiDip them for now and use them for snow tires.

² A double wishbone suspension is not a classical example of lever and fulcrum, because the effort (weight of the car on the wheel) and resistance (spring) are on the same side of the fulcrum (inboard end of the wishbone). However, the principle and the equations are the same.

³ I get most of my parts from the UK, which apparently has a *huge* market for new and used MX-5 parts.


UPDATE 2014-10-14 23:40 UTC The details have been published: meet the SSL POODLE attack.

UPDATE 2014-10-15 11:15 UTC Simpler server test method, corrected info about browsers

UPDATE 2014-10-15 16:00 UTC More information about client testing

El Reg posted an article earlier today about a purported flaw in SSL 3.0 which may or may not be real, but it’s been a bad year for SSL, we’re all on edge, and we’d rather be safe than sorry. So let’s take it at face value and see what we can do to protect ourselves. If nothing else, it will force us to inspect our systems and make conscious decisions about their configuration instead of trusting the default settings. What can we do?

The answer is simple: there is no reason to support SSL 3.0 these days. TLS 1.0 is fifteen years old and supported by every browser that matters and over 99% of websites. TLS 1.1 and TLS 1.2 are eight and six years old, respectively, and are supported by the latest versions of all major browsers (except for Safari on Mac OS X 10.8 or older), but are not as widely supported on the server side. So let’s disable SSL 2.0 and 3.0 and make sure that TLS 1.0, 1.1 and 1.2 are enabled.

What to do next

Test your server

The Qualys SSL Labs SSL Server Test analyzes a server and calculates a score based on the list of supported protocols and algorithms, the strength and validity of the server certificate, which mitigation techniques are implemented, and many other factors. It takes a while, but is well worth it. Anything less than a B is a disgrace.

If you’re in a hurry, the following command will attempt to connect to your server using SSL 2.0 or 3.0:

:|openssl s_client -ssl3 -connect

If the last line it prints is DONE, you have work to do.

Fix your server

Disable SSL 2.0 and 3.0 and enable TLS 1.0, 1.1 and 1.2 and forward secrecy (ephemeral Diffie-Hellman).

For Apache users, the following line goes a long way:

SSLProtocol ALL -SSLv3 -SSLv2

It disables SSL 2.0 and 3.0, but does not modify the algorithm preference list, so your server may still prefer older, weaker ciphers and hashes over more recent, stronger ones. Nor does it enable Forward Secrecy.

The Mozilla wiki has an excellent guide for the most widely used web servers and proxies.

Test your client

The Poodle Test website will show you a picture of a poodle if your browser is vulnerable and a terrier otherwise. It is the easiest, quickest way I know of to test your client.

Qualys SSL Labs also have an SSL Client Test which does much the same for your client as the SSL Server Test does for your server; unfortunately, it is not able to reliably determine whether your browser supports SSL 3.0.

Fix your client

On Windows, use the Advanced tab in the Internet Properties dialog (confusingly not searchable by that name, search for “internet options” or “proxy server” instead) to disable SSL 2.0 and 3.0 for all browsers.

On Linux and BSD:

  • Firefox: open and set security.tls.version.min to 1. You can force this setting for all users by adding lockPref("security.tls.version.min", 1); to your system-wide Mozilla configuration file. Support for SSL 3.0 will be removed in the next release.

  • Chrome: open and select “show advanced settings”. There should be an HTTP/SSL section which lets you disable SSL 3.0 is apparently no way to disable SSL 3.0. Support for SSL 3.0 will be removed in the next release.

I do not have any information about Safari and Opera. Please comment (or email me) if you know how to disable SSL 3.0 in these browsers.

Good luck, and stay safe.

DNS improvements in FreeBSD 11

Erwin Lansing just posted a summary of the DNS session at the FreeBSD DevSummit that was held in conjunction with BSDCan 2014 in May. It gives a good overview of the current state of affairs, including known bugs and plans for the future.

I’ve been working on some of these issues recently (in between $dayjob and other projects). I fixed two issues in the last 48 hours, and am working on two more.

Continue reading “DNS improvements in FreeBSD 11” »

I can’t stop thinking

I’m borrowing a line from Scott McCloud because it’s been stuck in my head since the day I first heard it (or rather read it) way back in 2000, and sometimes it really resonates with me for a completely different reason.

This weekend has been very productive (and satisfying) but also very tiring. I went to bed expecting to sleep soundly, although I often have trouble falling asleep on Sundays.¹ I nodded off two or three times over my Kindle before putting it away and lying down. I promptly fell asleep and had some very disturbing² dreams before waking up again, barely fifteen or twenty minutes later. Then I started thinking.

And I can’t stop thinking.

You’ve probably read that many great artists are or were bipolar. I don’t claim to be a great artist, but greatness (in any field of endeavor) requires drive, dedication, obsession even, and I understand where they get that drive. Imagine that you wake up in the middle of the night—or a sudden spell comes over you during the day—and you find yourself getting increasingly restless and agitated and your thoughts are running away from you and you are overcome with the urge to translate those thoughts into words, or code, or chords, or colors, or anything and just keep going until they’re purged from your brain and you can stand up and scream


and sometimes the moment passes before you’re even halfway done and you sink, and sink, and sink and you stare at the unfinished work and it stares back and mocks you because who are you to think you could ever build this?

So in the hour that passed between waking up and giving up trying to sleep, I mentally designed a wiki-style markup syntax⁴ and a Perl implementation complete with parsing strategy, class hierarchy and a plugin system for custom output formats. Then I got up and started installing that liquid cooler I bought for my desktop three months ago but never got around to installing, only to discover that the heat sink has leaked into its wrapper, so I reassembled the computer and hang it from a rail under my desk using that bracket I bought two months ago but never got around to installing.⁵ And I pretty much wrote this blog post in my head while I was disassembling and reassembling my computer.

I can’t stop thinking.

And this is what I’m like when I’m on meds that work. It used to be much, much worse. I don’t cycle as rapidly as I used to, and I never go as far up or down as I used to. So these days I mostly manage to finish what I start, unless I hit a serious obstacle and don’t have an outside factor to push me onward, and I’m much better at prioritizing and at not taking on (too) much more than I can handle.

Maybe this is why creative people tend to have cats rather than dogs. Cats don’t care if you’re batshit crazy.

Relevant (if you read Norwegian): Jaja, det er vel på tide å legge kukken på bordet igjen

¹ Even when on vacation, so it’s not work-related.
² Yes, that’s a euphemism for “explicit”³
³ I know, I know, “explicit” is also a euphemism.
⁴ which is idiotic because there are already so many to choose from, yet not completely idiotic because most of them are crap and those that aren’t have no decent Perl implementations, or are implemented as part of a complete wiki application which is not what I need so shut up.
⁵ I have ridiculously expensive brand-name office furniture in my home office. Considering how much time K and I spend in there, it’s worth every penny.

On petroleum and the cost of higher education

I came across this Google+ post by Pierre Bonhomme via a fellow FreeBSD user who is currently a researcher at the University of Oslo. The gist of it is that Norway is a land of milk and honey with free higher education for all and sundry, financed by our bottomless oil and gas reserves.

This is, in fact, a collection of mostly factual statements arranged in such a way as to lead the reader to incorrect conclusions in furtherance of the author’s agenda (opposition to the introduction / increase of tuition fees in Canada), buttressed by an impressive collection of links which the author fervently hopes the reader will not bother to follow, because they do not support his message.

Allow me to rebut a few of his points.

Continue reading “On petroleum and the cost of higher education” »