“News and updates”
The latest news and website updates here at Exotic Silicon
New article published
Implementing a self-managed, dual-stacked VPN.
Today we're showing you how to use iked to tunnel both IPv4 as well as IPv6 to a remote server for a self-managed VPN. We're doing all this with utilities from the OpenBSD base system so the setup is nice and sleek, completely avoiding the need to install countless programs from ports.
Not only that, but we'll also show you how to isolate the VPN traffic in it's own routing domain so it can be used only when required, (or if you're really clever like us, you can even configure more than one simultaneously).
Of course, the setup supports inbound connections too, so you can run servers from diverse physical locations whilst using the inbound address space and connectivity of the datacenter. Stuck without IPv6 or inbound connectivity at home? Not anymore!
All this excitement and even more is right here waiting for you in setting up an IPv6 capable VPN. Read it today!
“VPNs, IPv6, routing domains and IPSEC!”
New article published
SMS functionality alongside bridged data on the RUT-240.
When Jay kindly showed us how to bridge a 4G LTE data connection to our OpenBSD machines last year, we noted that the RUT-240 is capable of a lot more than just acting as a gateway to the WAN. Some of this useful functionality remains accessible even though the device is in bridge mode.
The main topic of today's write-up is SMS, both sending and receiving text messages from the same machine that it's bridged to for IP data connectivity.
“Texting is fun...”
New article published
Optical boot discs for modern X86 machines? Let's look at how that works.
Boot code on media that can't be modified or overwritten has always been pretty useful, and of course there are plenty of pre-prepared disc images available that you can write to a suitable disc.
However, if you want to prepare your own bootable disc image and have it work reliably across different machines then there are some things to watch out for.
Today, Crystal shows us where to shove our boot code and which bits to twiddle for the best results. Grab the article here.
“Putting the boot in the right places...”
New article published
Want to improve UTF-8 handling in your programs? Of course you do!
That's why you absolutely shouldn't miss today's mega-tutorial by Crystal. She's like a magnet for bad UTF-8 decoders, pulling them in to her inner being, poking around their intricate workings, and, well, doing something to make them better! [err, that's just regular debugging of C code - Crystal].
Point is, she knows a thing or two about UTF-8 parsing, and now you can learn from her expertise and churn out code that not only works, but does all sorts of cool error checking, quick stream validation, and even decodes the data in reverse.
As always you can read it on the website or peruse the gemtext version if gemini is more your thing.
“Decoding UTF-8 backwards, because she can...”
New article published
Re-implementing the greylisting feature of spamd - as a filter for OpenSMTPD!
That's what Jay Eptinxa has been up to recently, and if you want to see how it's done - in under 1000 lines of pure C code - then you'll have plenty of fun reading his latest programming tutorial.
Even if the thought of learning the API doesn't fill you with excitement and anticipation, all is not lost! How about we tell you that the filter not only brings the simplicity of no longer having to interface with the firewall, but it also works with IPv6 connections too?
Non-programmers who are eager to try it out can find download links and a cheat sheet at the end of the page. Have fun!
“Getting rejected never felt so good!”
New article published
As regular visitors to our research site here at Exotic Silicon will likely be aware, when spending time in Crystal's presence one thing often leads to another, [what exactly is that supposed to mean? - Crystal], and this latest article is no exception.
We start by discussing tactile terminals, and how we might support them on the OpenBSD console. This involves some kernel patching, and sending signals to a userland process. Not satisfied with this, she decides to emulate some console devices present in Linux, before changing direction and inventing her own. Part way in to this she discovers yet another unwelcome bug in the OpenBSD console code.
It's quite a journey. So head over to feel my pins, but don't exploit me, and check out the full write-up.
“Feel my pins, but don't exploit me...”
Update on CVE-2023-31728
The vulnerability we discovered in the RUT-240 last month has been assigned CVE-2023-31728.
This was fixed in firmware 07.04.2 which has been available since 20230418, but we waited to publish a follow-up until we'd tested the new firmware on our production systems for a few weeks and also received the CVE ID.
In the mean time, firmware 07.04.3 has been released, which amongst other things adds support for using ecdsa and ed25519 keys to authenticate to the built-in ssh server. The lack of this support was one of the few negative points we highlighted in the original review, so it's a pleasant surprise to see it added.
If you own one of these devices you'll probably just want to grab the latest firmware and get it updated. Don't forget to remove any extra firewall rules that were added as a work-around.
“It's officially fixed...”
Patchset updated
Have you been enjoying 256 colors and various extra text attributes on your framebuffer console thanks to our patches published earlier in the year?
Maybe you've even done some screenshots of it all with our console screendump code?
Well, whether you've already tried these console enhancements or not, a new version of the patchset is now available that applies to OpenBSD 7.3!
So head over to the console enhancement patchset page, where you can read all about it and of course grab the download.
“Fun console enhancements for OpenBSD 7.3!”
New article published
It's pretty useful to have 4G cellular data as a backup to the regular office fibre broadband. The trouble is, NAT and other tricks played by consumer routers don't make it easy piping the connection in to an existing network that's based on OpenBSD machines.
What we really need is an LTE - Ethernet bridge, and luckily such devices do exist. One of them, or more accurately a device which can be used in this fashion, is the RUT-240.
Jay set out to write an article combining a mini review of this convenient little router, and a step by step walk-through of how to set it up.
In the process, he discovered that in certain cases it was possible to access it's ssh service and built-in webserver remotely even when the they were configured for local access only. Oops.
But don't worry, we have workarounds. And even if you already have one of these devices deployed, it's not likely that you are using it in a configuration that's vulnerable. Nevertheless, we suggest that you read the article for more information.
“Write an article, and find a security bug in the process...”
New article published
New people discover Exotic Silicon all the time, and that's great.
But whenever something we publish reaches a new audience, we inevitably see naïve and often uneducated comments posted on forums and social media channels regarding our webpage design. Such is the price for being ahead of the curve, innovating, and having the guts to apply fresh new ideas to a real world website.
The thing is, there are a lot of broken browsers out there! Our CSS is expertly crafted by people who know the standards inside out, and we know that our loyal fans love it. But if somebody's system doesn't comply and renders our pages as neatly as Crystal's desk on a Monday morning, [hey, what!? - Crystal], we can see why they might mistakenly blame us. Ah, sweet summer child, you have much still to learn.
So start by reading our replies to various comments, and if you already knew all of this stuff, then have a good laugh on us this weekend.
“Replying to {rude,tedious,sarcastic} comments...”
New article published
Finding bugs whilst reviewing other peoples' code is nothing new for us here at Exotic Silicon.
But when we started to investigate why UTF-8 decoding didn't work properly on the OpenBSD console, the awful programming mistakes we quickly discovered surprised even us.
Programmers, let's remind ourselves of how important it is to get the basics right, with a detailed write-up of our latest debugging session.
And if you're new to this, or not even a C programmer, please still come along for the ride. These are pretty trivial errors we're discussing.
“Learning from others' mistakes...”
New article published
Exploring the murky depths of /dev/null has been the subject of many a joke in the IT industry over the years. After all, what is there to find in a device that returns no data?
But do you know how /dev/null and it's friend /dev/zero are actually implemented? Ah, now that's interesting.
This weekend you can see how to add a shiny new device - /dev/fill - to the OpenBSD kernel, not to be confused with /dev/full that other systems have but OpenBSD is currently lacking. Come to think of it, let's add that too!
All in this weekend's look at memory special devices.
“Something useful in the bit bucket...”
New article published
The eject command on OpenBSD has a feature to re-load ejected media using the -t flag.
But it doesn't work with removable disk devices such as USB flash drives.
Let's look at how eject is implemented in the first place, and see what we need to do to add this re-loading functionality to the kernel in today's mini-explainer
“Whip it in and whip it out!”
New patchset
Have you ever been busy working at the console on OpenBSD and felt the need to produce a screenshot, only to realise moments later that unlike when you're running the X window system, there was no way to create one?
Maybe you've even wondered what programming would be required to implement such a feature. Well, now you can find out!
Our latest in-depth write up covers adding new ioctls to the kernel, and a general poke around the wscons and rasops code. Of course, you can just download the pre-written patches too, if kernel programming isn't your thing.
“Screen dumps, not core dumps!”
Code added to CVS
Since late yesterday, the NetBSD CVS now also includes a version of our code to add the same five terminal control sequences that we recently added support for to OpenBSD.
If you track NetBSD-current, you should get the new code next time you do a cvs update. It's also in the latest daily snapshot build.
“From proposal to commitment in 53 hours!”
Patchset updated
We've had a lot of enquiries and positive feedback regarding our console enhancement patchset for OpenBSD.
Based on what we're hearing, one feature that people would particularly like to see is italic text.
Well, the wait is, (almost), over!
We asked Crystal to work on this, and she's just finished a separate mini-patch to implement exactly that, (along with the bold font code as well, so you can do bold and italic together).
“Stand up straight, or lean to the side!”
Code added to CVS
The code that Crystal demonstrated at the beginning of the month to add five escape sequences to the wscons terminal emulator is now in the -current branch of the OpenBSD CVS.
As if that wasn't enough, she's also contributed patches to remove the unused rasops_isgray lookup table, fixed a couple of off-by-ones, and added support to directly select the eight 'bright' colors, all of which is now already in -current. In fact, the off-by-one bugfixes have also been submitted to NetBSD and accepted there too!
And yet this still isn't the sum total of Crystal's work so far, because she's also floated a patch to add 256 color support, tidy up the rasops code to avoid some un-necessary bit-shifting, and display bold text as actually bold rather than just a brighter color. This hasn't landed in -current yet, so if you want these enhancements you'll need to apply the patches yourself and re-compile the kernel. If you're interested, drop Crystal an email and let her know what version you're running, and we'll keep nudging her until she sends you a suitable diff.
“A better console experience for everybody!”
New article published
Happy new year!
We're getting off to an early start here at Exotic Silicon, with a write-up about some work Crystal has been doing to make the framebuffer console on OpenBSD behave a bit more like xterm.
Wondering why this is a good thing? You can find all of the details in the article.
Don't forget to check back here regularly for the lastest updates from Exotic Silicon's research department throughout the year, and if you haven't already bookmarked our commerical services pages, now would be a good opportunity!
“New year, new terminal emulation...”
New article published
As the year draws to a close, we're busy doing our annual data archiving and expect you are too.
Except that judging by the amount of feedback we've had since Crystal published her article back in September about using optical discs on OpenBSD systems, it seems like a lot of you don't have a proper backup strategy in place at all!
Since we've been asked repeatedly for a practical guide to actual backup strategies rather then just writing the discs, we've cut short Jay's winter leave and asked him to produce an overview of the policies we use ourselves and how they can be applied more generally. Enjoy!
“How much is your data worth?”
Patchset updated
We've received a few emails asking us when we're going to update the candlelit console patchset for OpenBSD 7.2.
Actually, the patchset for OpenBSD 7.1 applies just fine to an OpenBSD 7.2 installation so we didn't bother to release an update to it.
However, it seems that a few of you were concerned about the offset reported by the patch utility as kern_sysctl.c has changed between the two versions, so we've prepared a new patchset that applies cleanly to OpenBSD 7.2. There is no functional change.
“The old version worked fine, but...”
New article published
Ahhh, optical discs for data storage... That's so 1990s, right?
Well, actually no. Here at Exotic Silicon we're big users of optical for archival storage, and have been for as long as we can remember.
Now, Crystal's kindly taken some time out to show you a few neat tricks and techniques for recording BD-R media on BSD systems.
“Data safe and sound on WORM discs…”
New article published
Since we published Jay's article about SMTP over IPSEC tunnels last November, we've been asked from time to time if the same thing could be accomplished using wireguard instead of IPSEC.
The good news is, yes, it can! And initial tests suggest that it works quite well. So if the thought of learning about IPSEC made you cringe seven months ago, head on over to our newly published SMTP via wireguard tunnels article and see if that feels more accessible.
“It works right out of the box… Almost.”
Bug fix committed
A patch that Crystal proposed to fix a bug in the OpenBSD console screen blanker code last month has been accepted and committed to CVS.
With this simple but useful fix, the screen blanker can be disabled again after being enabled. From reading the original code and CVS history, it seems that the bug has been present since the screen blanking code was added back in 2001.
“Bug from 21 years ago found and fixed…”
New article published
We included a short piece of X86 assembler in our recent Candlelit Console patchset, mainly as an example of how the C compiler doesn't always output the most optimal code and how it can be tweaked.
We didn't really think much of it at the time, since we work with assembler on various platforms on a regular basis, but inquisitive readers seem to have taken an interest and in some cases even expressed doubt as to whether the optimisation was really effective.
Oh, really? You think we're just making it up? You think that the C compiler knows better than we do? Ha! Let's have some fun doing some benchmarks...
Benchmarking Bitshifts - ASM vs C
“We're not making it up!”
Gemini server certificate replaced
A number of people have been in touch to tell us that the certificate on our gemini server had expired.
Thanks for the feedback, but actually we were aware of this and deliberately did not update it immediately:
The way gemini checks certificates is different to a web browser. Gemini generally uses trust on first use, (TOFU), and the specification actually recommends this, (in section 4.2), as well as suggesting that self-signed certificates are at least considered equal to CA signed certificates in terms of level of trust.
When we set it up, we ignored this advice and used a ‘real’ CA certificate which expired after 90 days.
Unfortunately all of the users who had used the gemini server up to that point now had that certificate trusted, and if we change it then when those users visit the site again their browser will typically show a warning because the certificate has changed, (even if the new certificate is also a valid CA signed certificate).
So we deliberately left the expired certificate, because we wanted to see whether new users who had not visited the site before would see errors or whether their browsers would just accept the expired certificate as valid or not, I.E. we wanted to see how gemini browsers are implementing TOFU in the real world, (which, as a research organisation, is typical of the sort of thing we focus on).
But enough already... We'll change it to a self-signed one, so expect to be prompted to accept a new certificate when you next visit.
Thanks again for all the feedback we received about this! It's nice to see more people using the gemini server.
“We already knew, but thanks anyway…”
New kernel patchset published
Wouldn't it be nice to have some warmer hues on the OpenBSD framebuffer console for those command line sessions that last throughout the night and into the early hours of the morning?
Whilst we're at it, we could add a whole set of alternative palettes, and a new sysctl to select between them, and on top of that, why not implement the dim attribute, strikethrough, and double underlining? All this on the console!? Yep!
What's more, Exotic Silicon isn't just providing a patch, oh no, our research team will take you step by step through how the code was written, too.
Head on over to the candlelit console page, which as always is also available via our gemini server if plain text articles are your preference.
“Console at night? Keep the screen less bright!”
New utility published
Re-sizing softraid crypto volumes on OpenBSD just got a lot easier!
Crystal spent a few days doing it manually with a hex editor, writing a utility to automate the task, finding and fixing a kernel bug, and then finally topping it all off by doing a comprehensive write up of the whole thing!
Visit the resizing softraid volumes page, which is, of course, available via gemini as well as https.
“Size matters”
New ten-part series starts today
The first part of our new weekly series of technical articles, ‘a reckless guide to OpenBSD’ has been published today. Each week, our trusty Jay Eptinxa will walk curious readers through some interesting and sometimes little discussed aspects of this system, such as compiling a custom kernel, and modifying the kernel code itself.
We chose the name ‘reckless guide’ as it covers lots of things that are not encouraged by the project's official documentation. Have fun!
Visit the reckless guide index page on our website, (available in ten themes), or for those who prefer the retro feel the content is also on our gemini server.
“Don't do that! Well, OK, since it's fun…”
New gemini server on-line
We've put our new gemini server online at gemini://gemini.exoticsilicon.com/.
Currently it contains gemtext versions of most of the website articles on research.exoticsilicon.com, so you can enjoy our content in an even lower bandwidth format.
For those readers who are not familiar with the gemini protocol, it's somewhat like a modern version of gopher. If you're not familiar with the gopher protocol, you've probably not been in the IT industry as long as we have!
“Back in the good old days…”
Happy new year!
Welcome to 2022!
We've got lots planned for this year, and hope that you'll following along with our research and development here at Exotic Silicon.
“Another year begins!”
Technical write-up
Whilst many people were at home relaxing over the holiday period, Crystal was busy wielding a soldering iron, then using some interesting trickery to get OpenBSD installed and running on a Pinephone.
We're still not entirely sure why.
“BSD in your pocket!”
New guide published
Jay has been busy writing up some notes about running inbound and outbound SMTP over an IPSEC tunnel.
If you want to run your own SMTP server, but are stuck with a dynamic IP address, check it out for ideas and inspiration.
“SMTP for everyone, static IP or not!”
Upgrades completed - welcome back!
After a much longer than expected haitus, Exotic Silicon is now fully operational again.
What started out as a simple server move turned into something much larger, as we took advantage of the opportunity to do a complete overhaul of our infrastructure. All of our on-line services have now been moved to new servers, in a different datacenter. The back-end website code has been mostly re-written from scratch, for even better performance, and it's now running on a different operating system. We've even re-organised our office space and upgraded the air-conditioning, so we're nice and comfortable with high expectations for the future.
More things have changed than have stayed the same, but rest assured that if you enjoyed Exotic Silicon before, we're confident that you'll be even happier now!
Most of the old website content has either been updated or removed completely, but we've already got plenty of new material on-line that we created during the break, and there is more in the works, so stay tuned and check back regularly for updates.
“Rebooted - and better for it!”