August 2008 Archives

2008-08-24 02:33:13

"You have 0 optimism points"

Just for fun, I recently participated in some personality evaluation test. And as expected, the most remarkable thing the tool constanted was pessimism. Since Thomas ”maximus“ Deutsch recently wrote about his opinion on his attitude, which also included pessimism, I got the idea that there is actually a difference between pessimism and pessimism.

Destructive Pessimism

Most people know the destructive pessimism very well. Even the most cheerful people usually had a phase of depression at least during their puberty. In destructive pessimism, people stop believing in the sense of their life, their actions and everything surrounding them. As a consequence, these people find it useless to act at all.

The cognitive aspect is also very discouraging. Destructive pessimists don't perceive positive developments and events at all. Maybe they became too ordinary to be perceived, but in any case these people act like they never happened. Bad events however are perceived as an affirmation and frustration.

Constructive Pessimism

Constructive pessimism however, the type of pessimism I tend to adhere to, does not have the expectation of everything to fail. The pessimistic assumptions in constructive pessimism are way more moderate:

  • You cannot expect other people to do work. They most likely won't. They will overestimate their capacity and capability or never get to the job in the first place.
  • If something can fail, it will. This is basically a moderate version of murphyism. However, this principle leads to concepts like redundancy, thus it is an important part of the philosophy of engineers.
  • Too few people make bad decisions. Individuals tend to oversee aspects, so consulting an adequate number of people is always a nice idea. Too many people however tend to have problems comunicating.

… and many more, but you get the idea. So the general rule is to have low expectations, as opposed to expecting failure.

Other than the destructive pessimist who drowns in lethargy, constructive pessimsts draw their energy from their pessimism. The conclusion from the above assumptions is that it is best to do the job on one's own, and that one should verify every single component for proper operation. This principle is reflected for example in the rules of Extreme Programming.

The differences are also very serious in the cognitive dimension. If a constructive pessimist perceives failure, it was what he expected, so it does not come as a deception. He prepared for the failure, in fact. If, however, he succeeds, then he is very positively surprised and perceives the success as such. Thus, disappointing a constructive pessimist is close to impossible, while the world is indeed full of positive surprises for them.

As a conclusion it may be repeated that there are indeed different types of pessimism, and that not all of them necessarily lead to apathy. Indeed, pessimism can be quite inspiring.

Posted by Tonnerre Lombard | Permanent link | File under: general, chaos

2008-08-24 02:01:08

New rt for pkgsrc!

After a request from Dan, I upgraded rt to the new version 3.8, and was slightly surprised. Apart from the new interface which finally looks like the MacOS 10 user interface, just like all web applications attempt to these days, and the rich text mail editor — a feature I am hoping never to see in action — it also features a whole new set of user configuration options, and, even better, PGP support.

Also improved is the SPAM filtering support. It is no longer necessary now to prefix rt-mailgate with procmail. Usability is also massively improved, the menu is now on the left again rather than on the top. Only submenus open on top. The annoying thing is though that in menus of a certain depth, the menu bar jumps between top and left for the same menu since the top bar only ever shows the topmost level.

People who are afraid of wearing glasses can now also configure font sizes at will.

So it is time to congratulate Best Practical to their new release, and to look forward to deploying the new PGP feature.

Posted by Tonnerre Lombard | Permanent link | File under: security, news

2008-08-23 19:23:26

OpenBSD CVSweb or how not to fix XSS

A while ago, a Cross Site Scripting (XSS) vulnerability had been found in CVSweb, as used by the OpenBSD Project.

XSS basics

Now, the name Cross Site Scripting may potentially be very misleading. In fact the problem is that you can insert arbitrary HTML code into the web site. This also means you can fake information displayed in the site; thanks to CSS and related tricks, no JavaScript is required for this anymore. The term Cross Site Scripting actually comes from the one possible scenario where JavaScript code is injected into the web site which can do arbitrary things, even send requests back to the web server of an attacker, e.g. with the password from some login page.

However, this is just one possible scenario. In any case, fake information can be injected into the web site to make it appear as something different.

The correct fix is of course to encode user input properly before displaying it on the web site, just like it's done with user input meant to be used in SQL statements (in SQL injection attacks, this is not done properly). Normally, languages used to design web applications already provide means to encode user input for use in web sites; for example, Perl has encode_entities() in the HTML::Parser package.

(For more information on Cross Site Scripting, please refer to my lecture about common security problems at the Chaos Communication Congress

OpenBSD's fix

Rather than to encode the input in question properly and to verify its validity, the OpenBSD people decided to go a very unconventional (and useless) way in fixing the problem. A JavaScript was added to the web site redirecting to a web site stating that JavaScript sucks. This web site goes on to state:

Javascript Just Sucks

CVSweb takes input to a cgi script to show you source code, which it sanitizes to protect itself. It doesn't care how insecure your web browser is.

Nothing on cares about Cross Site Scripting, since we don't use cookies or any form of authentication. However since your web browser will accept script calls in a url that some idiot could send you URL with a script embedded in it to make your browser go somewhere else from a url that starts with Somehow the XSS wankers feel this affects's street cred. Mystifying to me, since if you decide to visit this site with a web browser that does rm -rf / every time your browser sees the word "elephant" - well you just got pwned too.. The problem is your browser.

Of course to remove all special chars in input fields for cvsweb means you can't look for interesting stuff in code. So, someday I might take the time to try to do that, without making cvsweb useless. In the meantime, just turn off javascript when visiting this site, use a browser that doesn't support it, or use the firefox noscript extension and you'll see cvsweb just fine, once you revisit it at

The claim that the problem is only in the browser is of course entirely wrong. The web site contains additional information which is not supposed to be there, and the browser cannot tell the difference between wanted and unwanted content. If the input is not properly sanitized, this of course means that the browser will interprete it wrong.

If, for example, you visit the above link with JavaScript disabled, you will still see the headline ”Only 2 Remote bugs“ which clearly does not belong there. The fix is not working.

Posted by Tonnerre Lombard | Permanent link | File under: security, programming