Aivoituksia

Choices reveal preferences

2026-04-18T00:00:00+03:00

Language choices doubly so

The language used in financial markets is fascinating. Everything is about taking or making bets.

If you take bets on how companies will do in the future, that's finance.

If you take bets on sports, that's gambling.

If you take bets on human misery, that's insurance.

CARDS ON THE TABLE

I used to work for a sports betting exchange. Or as the industry prefers to be known, a prediction market.

Cyclops

2026-03-22T00:00:00+02:00

CycloneDX SBOM indexer

Cyclops is a tool to ingest, index and search through CycloneDX SBOMs. Point it to a directory containing CycloneDX files (and optionally an S3 bucket path) - it will index the files and makes them searchable through a simple command line interface.

Database engine is SQLite, for two reasons:

No need to set up external DB for what should be a simple, local only tool
The driver used exports a database/sql interface, so it should be reasonably low effort to port the tool to use a dedicated, separate database instance. Should the need arise.

Cyclops is licensed under AGPL.

Download: cyclops.tar.xz (~40kB)

Git: git clone https://bostik.iki.fi/src/cyclops.git

Examples

List ingested SBOM types

cyclops -J

List detected packaging ecosystems, number of packages

cyclops -E

Ingest SBOMs

cyclops -d /path/to/somewhere/with/sboms/

Download SBOMs from S3 in addition to ingesting them

cyclops \
    -d /path/to/somewhere/with/sboms/ \  # becomes download path 
    --s3-get \
    --s3-bucket <BUCKET NAME> \
    --s3-prefix <OBJECT PATH PREFIX> \
    [--s3-max-days <MAX OBJECT AGE>] \
    [--s3-max-dl-batch <PARALLEL DOWNLOAD BATCH SIZE>]

List known packages, their ecosystems, how many found

cyclops -P

List known packages, how many found for a single ecosystem

cyclops -P -p <ECOSYSTEM>

List indexed SBOMs

cyclops -L

List indexed SBOMs for a specific type only

cyclops -L -j <SBOM TYPE>

Search for dependencies by a partial detection path match

cyclops -S <PATH MATCH>

Search for packages whose names include 'foo'

cyclops -m foo

Search for any number of known package names

cyclops -n pkg1 pkg2 pkg3 [...] pkgN

Special case for eg. Sha1-Hulud investigation ("do I have any of these infected packages anywhere in my stack?"):

cut -d ',' -f1 /path/to/downloaded/sha1-hulud.csv \
    | xargs cyclops -n

Various options can be usually combined to list or search through dependencies only for a given SBOM type and/or a specific packaging ecosystem.

Why?

I have had a persistent problem at $work. We generate and publish SBOMs but the only external use I've seen for them is to feed them to context-free vulnerability "scanner" software.

Cyclops began as a personal tool to make searching for detection paths and dependency bloat easier. The data in SBOMs, especially in aggregate, is far more valuable as a supply chain analytics material and I wanted to see if I could make this use case more accessible.

The tool has been written entirely outside of work, though. I had a problem, some spare time and needed a creative outlet.

Why AGPL?

I wanted to explicitly discourage anyone from picking up a tool I wrote for terminal investigations and turning it into a hosted SaaS.

NOTE: the DB schema file is intentionally licensed under CC0; I wanted it to be clear that any data you have stored in Cyclops's database is always yours. If you want to interact with it for eg. analytics purposes, you are free to write tools of your choice to generate reports from data held in the SQLite file. As long as these tools do not use the code from the rest of Cyclops, they will remain unaffected by the project's chosen license.

Miscellania

Cyclops was first presented at DC4420.

The name is a homage to CycloneDX project and a play on the far too common myopic practice of using SBOMs as a fancy input to whatever vulnerability scanner[TM] happens to be available.

Supports generating a Zsh autocompletion script with cyclops completion.

Consider

2026-03-08T00:00:00+02:00

Learning without thinking is useless. Thinking without learning is dangerous. -- C.

Gent

2026-01-31T00:00:00+02:00

Prometheus/Dogstatsd compatible, minimalistic monitoring agent

Gent is a simple application telemetry collector & exporter. It Ingests both regular StatsD and its extended variant, DogStatsD messages and generates Prometheus-compatible telemetry. It is designed to be reasonably small with no external dependencies. It can be built with nothing beyond Go standard library.

Gent is intended to be run on the host or inside a container with direct host networking. For maximal usefulness, it is distributed under the MIT license.

Download: gent.tar.xz (~10kB)

Using Gent

Once the agent is running, send *StatsD messages to its listening port. Gent will process the messages and generate an export for Prometheus-compatible scrapers. These exports are regenerated every 15 seconds.

Basic Architecture

  | HOST |
+-------------------------------------------------------+
|                                                       |
| +---------------+               +---------------+     |
| |  Service A    |-+           +-|+-------------+|     |
| +---------------+ |           | || Container X ||     |
|                   |[msg]      | |+-------------+|     |
| +---------------+ |[msg]      | +---------------+     |
| |  Service B    |-+      [msg]|                       |
| +---------------+ |           |                       |
|                   |[msg] [msg]|                       |
|                   |      [msg]|                       |
|                   |      [msg]|                       |
|                   |[msg]      |            +------+   |
|                   v           v            | Gent |   |
|                                            |      |   |
+-------------------Y-----------Y------------========---+
               localhost      container-network

Performance

Tested on a relatively recent AMD Zen 7 @3.3GHz.

With the included stresser sources, gent can sustain a degenerate rate of 400k packets per second before dropping messages. At rates below 50k/pps the CPU utilisation is negligible.

Miscellania

The name gent is a pun, for "a gent".

It is inspired by bucky3, a monitoring agent used internally at Smarkets .

The ringbuffer design is inspired by LMAX Disruptor but takes a few shortcuts to make the implementation easier to reason about.

For practical information on DogStatsD message format, see this article.

A bubble about to burst

2025-12-30T00:00:00+02:00

The AI bubble of 202x is waiting to pop

With both of the big names (OpenAI & Anthropic) announcing their speedy IPO plans, the only sensible conclusion to draw is that the bubble is about to burst. The companies in question know it. Their investors know it. The public at large knows it. The investor class expects it but is looking at trajectory based on history. ¹

The sentiment among the AI companies is being telegraphed loud and clear: "take the money and run". If they get to IPO before the reality catches up, someone else will be holding the bag. The owners and investors have cashed out. Collapsing stock price is no longer their problem. The world can burn.

With any luck, they will also have the money to buy good businesses for pennies during the crash, and own even more of the global production when the cataclysm eventually subsides.

Or as someone else distilled the whole thing: "The price of computer memory has tripled because a bunch of memory that hasn't been yet manufactured has been pre-ordered so it can be used in GPUs that aren't yet installed in data centers that haven't been built yet in order to supply a demand that doesn't exist so the companies can earn profits that won't happen."

Surely there is always a bigger fool to sell to. ↩

Lessons from 30+ years of information security

2025-12-25T00:00:00+02:00

The zeroeth rule of thumb for infosec professionals

You are not cynical enough.

No, not even you. Not even after adjusting for the above.

Bone-chilling winds of political change

2025-12-11T00:00:00+02:00

Reading the tea leaves

Listening to political winds and reading the tea leaves in the UK make one thing disturbingly clear.

The country is about 6 years away from brownshirts, and 9 years from camps.

Long-term investment is looking at razor wire and heating element manufacturing as a growth sector.

Artificial Misanthropy

2025-12-02T00:00:00+02:00

Artificial Misanthropy

A misanthrope is someone whose view of the world can be distilled into a simple sentence: "I hate people in general, and everyone in particular."

And it's a common enough condition in expressed writing that even AI has picked it up.

False positives are so last century

2025-07-20T00:00:00+03:00

New hotness: Unvalidated Assumptions

Vulnerability scanners, in the year 2025 - and the companies flogging them to unsuspecting ~~customers~~ victims - are defective by design. The latest trend in flooding the already substandard spewage with even more useless noise is to run CI-time checks against non-CI systems.

A "modern"[tm] scanner, upon finding a build manifest source code file with listed dependencies will happily claim that every listed package is installed on the system. It does not bother to verify its claim. That would be too much work.

That is just as accurate as if a police visiting a home sees a copy of Malleus Maleficarum in the bookshelf, and puts everyone in jail because of iron-clad proof that the family living there burn people alive.

Four stages of getting griefed

2024-11-25T00:00:00+02:00

Scribbling at $dayjob, again

Some time ago (cough several months cough) I wrote a piece at work. As part of a bigger set of reader friendly updates, I knew I needed the option to link to a concise piece that explains what takes place in the event of an online breach. And that piece could not be too specific, or tied to any single vendor or system.

Among other things, breaches are reported and news of them read because humans are... well, human. Selfish. Shallow.

Consider this a PR-approved, yet sufficiently cynical take on the anatomy of an online breach: Four stages of getting griefed

Crowdstrike outage was inevitable

2024-07-21T00:00:00+03:00

The global IT outage was only a matter of time

Friday, 2024-07-19. Large parts of the world come to a screeching halt, when Crowdstrike, a "security and endpoint protection solutions company", deploys a broken signature update. 8.5 million Windows machines crash and do not recover.

Crowdstrike caught the bullet and the blame, but this could have been any one of the vendors in the same sector. They are all equally bad.

Rootkits, rootkits everywhere

An endpoint detection and response product (EDR, NDR, XDR, or whatever they are called this week) tries to prevent dodgy and/or malicious software compromising the system. It does this by inspecting, intercepting, blocking or modifying the low-level library and operating system calls made by all other software running on the system. To do that, it must itself run with elevated privileges and even inside the kernel.

A piece of third-party software, loaded into the kernel, intended to modify what other software on the system can see or do. Back in the 1990s we used to call them rootkits.

The endpoint security products may wear corporate suits and come with exorbitant marketing budgets, but from a technical perspective they are just the same: rootkits.

Poor quality code

The outage from this particular failure was caused by Crowdstrike's agent (running in the kernel) parsing a malformed signature data file ... and promptly crashing. Taking the entire system with it.

On reboot, the agent is one of the first pieces to start, so it has an early access to read its data files before anything else comes up. So now it crashes early in the boot sequence, causing a "boot loop".

Reboot. CRASH! Reboot. CRASH!

This should be error handling 101, and it is crystal clear Crowdstrike's agent was not doing it properly. But as I said at the top, this could have been anyone. If this is how the industry giants write kernel drivers, their userspace code is unlikely to be any better.

This is not a new sentiment. Few months back, Dmitri Alperovitch - founding member of CSRB, co-founder and former CTO of Crowdstrike - said during a podcast interview that some of the worst code he had ever seen was in security products. Industry professionals have known this for a long time, so it didn't come as news... but it was admittedly nice to hear someone finally say the quiet part out loud.

Bad release management practices

Based on the reports heard so far, the signature data update ("channel file") had passed all their build time checks. The malformed data was inserted into the build artifacts at a later stage, before the now-modified release artifact was finally made available to their installed client base.

How is that an acceptable release mechanism?

As if that wasn't enough, the updated artifacts were made globally available without (apparently) testing them internally first. Even the most basic testing scheme should have caught an entire fleet of machines crashing after update. So either Crowdstrike did not have testing regime in place - or they did, and nobody paid attention to what the test systems were showing.

How is that an acceptable release strategy?

And if Crowdstrike, a supposedly industry-leading giant is doing it this badly - how bad is it with the rest of the industry?

Perverse incentives

Based on grapevine and rumour mill (ie. things I can not attribute or verify), EDR vendors have contractual SLAs that bind them to a guaranteed 4-hour turnaround from "new threat detected" to "signature and prevention mechanism deployed to clients".

High pressure. Complex problems. Arbitrarily tight, unrealistic deadlines.

That is a recipe for cutting corners and bypassing checks. If running a pre-release check cycle takes 20 minutes and you're already running out of time, then sure, by all means, YOLO the release. If you breach the SLA, your clients are going to get hefty discounts and service credits - and your boss's boss will miss their annual bonus ladder.

What's the worst that could happen?

Regulatory capture

A lesser known misfeature of the security product vendor race is that once a vendor is big enough and well-known enough, their name gets "somehow" added to security questionnaire templates. These templates are used by various regulators, auditors, clients' vendor diligence/assurance teams, and insurers. Get big enough as a vendor, and you get added to a list of pre-approved/known-good providers, into a dropdown menu in spreadsheet, or a radio button menu in a web form.

These questionnaires are everywhewre. Every time you, as a party getting questioned, pick the sane option ("other"), you get to explain the reason for doing so to non-technical, non-security people. It is no wonder that for a company going through the same dance for the umpteenth time, someone high up in the chain will eventually decide that it's going to be easier to buy a solution from one of the listed vendors just to cut down on the time and headache.

A tacit moat is still a moat.

Disaster recovery through clicky-clicky

As bad as the security product vendors may be, they are not the only ones to drop the ball. This disaster took out more than eight million systems in a couple of hours. The companies impacted will take days, if not weeks, to recover in full.

In this day and age, system provisioning and recovery should be a solved problem. Frequently updated, well maintained golden images with well exercised, automated (re)install cycles should be table stakes.

They're not.

Instead we have overburdened IT admin teams who have to go around from machine to machine, clicking buttons in the right order, to get the basic functionality back.

Our industries are running fleets of machines that are capable of doing the same thing over and over again, blazingly fast, never getting tired. We supposedly thrive on automation. And yet the actual maintenance of these same machines is done without taking advantage of the same automation capabilities. Instead of routinely used scripts taking care of the mundane activities, we depend on runbooks with screenshots to explain which button to click at any given step in the sequence.

The outro

A global outage thanks to security vendor failure was not an accident. It was an inevitability.

And we're going to see it happen again.

In wake of xz project compromise...

2024-04-01T00:00:00+03:00

OSS project governance demands, distilled

Hi, I'm from Entitled Inc.

You know that unpaid labour of yours, which we benefit from? You should do more of it. Oh, and you should add all this red tape so that we don't have to do anything ourselves.

We're still not going to pay you.

We also demand that you sign our Modern Slavery statement.

Solution in search of permanence

2023-11-17T00:00:00+02:00

Visions of future past

Year is 2041. Freshly elected Tory government, with nothing left in the country to sell off, find a solution to their prison overcrowding problem. State sanctioned organ harvesting becomes an overnight export success.

Medical facilities are caught by surprise, consistently outbid by the pet food industry.

Life of success

2023-10-22T00:00:00+03:00

Three steps to a life of success

Be born to the right parents
Nepo
Coast

Collected scribblings

2023-07-02T00:00:00+03:00

Things written in times past

I used to write things for a previous employer's tech blog, but the old URLs may succumb to bitrot. These should work as long as Medium works:

The challenges of running a betting exchange (2016)

Notes on interviewing engineers (2016) -- This one was also picked up by a recruiter's blog.

DevOps is culture, not a title prefix (2017)

Security and Devops - a natural fit (2017)

Wait, what is my fleet doing (2018)

Hey, guess what? Your passwords have been compromised

Shields up on user information (2019)

Coronation Time

2023-04-18T00:00:00+03:00

Dedicated to Cause

UK government's refusal to negotiate with the NHS staff can only be taken as dedication to monarchy. They want to make sure that King Charles's coronation will be a once-in-a-lifetime experience for as many people as possible.

Audits explained

2022-12-07T00:00:00+02:00

Audits explained

A pentest is like going to the GP for a check-up. An audit is like having a month-long colonoscopy.

from copilot import vulnerabilities

2021-09-03T00:00:00+03:00

Not your grandfather's MVC

This was perfectly predictable. CoPilot generates insecure code, as expected.

Machine Learning, the magic pixie dust of the past decade, is all about volume. And writing secure code is harder than writing insecure code. So by sheer volume there will be a lot more insecure code around.

Given that a lot of code in the wild is essentially a minimum viable copypaste from the highest scoring answer on StackOverflow, teaching the code generator model has obviously consumed a lot of insecure code. Since SO rewards speed, the answers that take the least time to write will receive most points.

Writing secure code takes more time and more space - so by the time someone submits an answer that considers security aspects, the person asking the question has already accepted (and ran with) the first and shortest working answer instead.

StackOverflow has redefined the MVC programming model. It now stands for Minimum Viable Copypaste.

Chilihillo

2021-06-28T00:00:00+03:00

Lusikoitavaa chiliä

Arvioitu valmistusaika: 1,5h

Muokattu Guardianin reseptistä

Ainekset

Reilu 300g tuoreita chilejä
1kg hienosokeria
Pektiiniä
400ml siideriviinietikkaa

Muut tarvikkeet

Hillopurkkeja
5l kattila
Soseutin

Esivalmistelut

Mittaa reilu 5g pektiiniä ja sekoita hienosokeriin.

Keitä purkit ja kannet erillisessä kattilassa. Ota syrjään ja pidä veden alla kunnes hillo on valmista.

Valmistus

Leikkaa chilien tyvet pois, halkaise ja poista siemenet sekä suurin osa valkoisesta lihasta.

Perattuna chilejä pitäisi olla noin 250g. Ei ole kovin tarkkaa. (Alkuperäisen reseptin mukaan 200g riittää mutta nyt lisätään vähän potkua ja makua.)

Pilko chilit sopivan pieniksi ja soseuta.

Laita aineet kattilaan:

sokeri ja pektiini
soseutettu chili
etikka

Keitä ja sekoita noin 15m verran. Keitos saa kuohua ihan kunnolla.

Hillo on valmista kun se jähmettyy kylmälle lautaselle. Jos keittämistä jatkaa muutaman minuutin pitempään, tulos on gelatiinimaisempi.

Kaada hillo purkkeihin. Vie ensin joksikin aikaa huoneenlämpöön tai ulos jäähtymään, ja kun purkit eivät enää ole kuumia, siirrä jääkaappiin.

Säilytys

Pysyy hyvänä jääkaapissa jopa puolikin vuotta. Ellei lopu ensin.

Swipe to SSH

2021-01-07T00:00:00+02:00

SSH (Yubi)Key Authentication

SSH with private keys coming from secure hardware. What's not to like?

You've read the How-To. You've changed the pin with:

yubico-piv-tool -a change-pin

You're generating a resident key with:

ssh-keygen -t ed25519-sk -O resident -f ~/.ssh/yubi_ed255_key

After entering your pin, the above command breaks with "enrollment failed: invalid format". Surely you're doing something wrong? After a minute of head scratching, you try again, this time with:

ssh-keygen -vv -t ed25519-sk -O resident -f ~/.ssh/yubi_ed255_key

And are greeted with a confusing error. According to the error code (FIDO_ERR_PIN_NOT_SET) the resident key can not be generated because your YubiKey is not protected with a pin. But you've changed it already - what gives?

You've changed the PIN for the PIV application... which is different from the FIDO2 application.

Right idea, right PIN, wrong application?

Turns out you're missing the right tool. Get the correct one with:

${SUDO} apt install yubikey-manager

And then configure the FIDO2 application code with:

ykman fido access change-pin

Now you can rerun the command from above and generate a private key directly with the YubiKey.

(Update 2025-03-15: ykman fido command updated)

Things that work

The private key file, generated by the ssh-keygen command, can be nuked. It is after all a resident key, accessible directly from the YubiKey device. And you probably didn't add a keyphrase for it either.

So you can now load the private key into SSH agent, with:

ssh-add -K

You'll need to type in the PIN you set earlier.

... and a few that don't

The main problem with the above setup is that every use of the private key, even when loaded to the agent, requires to touch the magic button. To make things worse, the client doesn't show any hint what is needed, from a casual observer's point of view establishing the connection seems to hang.

This is okay for random logins, but breaks non-interactive workflows, and utterly messes up remote autocomplete. Touch the key one time too few, and the autocomplete never finishes. Touch it one time too many, and you've just vomited an OTP string to your terminal.

An ideal setup would allow the agent to authenticate without interaction for a configurable time, but so far this seems not to be supported.

Near-future experimentation

Documentation for ssh-keygen states that the resident key may be generated with the additional option -O no-touch-required to allow fully non-interactive use. At least at the time of writing, portable OpenSSH v8.4 does not appear to support the option, which may be for the best. Additionally, the public key requires special annotation for its entry in authorised_keys but even then it's not a good idea.

Because this option essentially would turn the YubiKey into a USB-attached SSH trust/identity dongle, it's far too dangerous to be used without other mitigations.

The missing hint

The bit about FIDO2 application for SSH client and the necessary command was found here.

Helpful two-liners

When changing the PIN/PUK codes, of course you want the new codes to be random. A really easy way to generate them is with python. Like this:

% python3 import secrets secrets.randbelow(10**6) # for PIN
secrets.randbelow(10**8) # for PUK

Getting home for plague'mas

2020-12-21T00:00:00+02:00

Be honest

Planning to travel to visit your family in these plague-ridden times, you're really saying:

"I miss my family so much they will see me if it's the last thing they do."

It's that time of the year again

2020-12-19T00:00:00+02:00

Page from an undated journal

Daddy's crying. Mommy has a black eye. Little sister's hiding under her bed.

Yep, it's christmas.

Perception is almost everything

2020-11-01T00:00:00+02:00

Misunderstood Indexing

Holding the number-one spot on Corruption Perceptions Index tells nothing about how well a country is doing.

It merely highlights how bad the situation is even for the runner-up.

Dear online surveillance addicts

2019-10-09T00:00:00+03:00

Ground rules for acceptable ads online

The following is an edit of a piece originally written in November 2015.

The pinnacle of non-intrusive online ads were the original Google search ads. They were out of the way, clearly marked as ads - and hence could be visually filtered out. They were pure text, so could be neatly included as elements on the rendered page. And they were always targeting an INTEREST. Not an individual.

I will take that as the minimum acceptable advertising behaviour. I'm not implying it's perfect, but at least we set a clear set of ground rules. With that in mind, my ideal, non-intrusive ads mechanism builds on the following rules:

Ads must never be inline to page content.
Even when clearly out of the way, ads must not be allowed to mimic page content; they must be clearly marked as ads.
Text only.
I might accept an image within the ad, provided it was always served from the content provider's system.
As an extension to previous point: if the served image size would exceed a notable fraction of the page size, it must not be included in the output.
No user tracking of any kind.
No third-party javascript. Ever.
At most 15% of display real estate allowed to be used by ads. Including the padding in the UI. (It all counts as space denied from content.)
Not allowed to affect page content load times. Ad material must be included at the end of the page code. If your service pushes ads from internal and separate system, hard timeouts must be imposed: if the internal system cannot serve an ad within an allotted time, the frontend must never be forced to wait. You just missed an ad impression. Tough.
If clicking an ad takes a user through a bounce page, all identifiable information from the user must be stripped. Bounce page or redirect must not impose any further page loading delay.
No beacons.

Breaking even one of the rules automatically disqualifies you.

If you, as an advertiser, find these rules unacceptable - well, then we are in mutual disagreement. I find your ads equally unacceptable and will treat them as a form of cancer.

However, as a genuine service to the user... please allow the users to search for ads that have been displayed to them. Preferably by display context. I would be glad to return to a subject at a later date and search for something I remember seeing earlier.

The above set of rules is still not ideal, but everything that behaved according to them would at least be palatable.

Waste not, want not

2019-09-29T00:00:00+03:00

Visions of future past

In our lifetime we will have seen the Western countries not just close but to barricade their borders. Should an unannounced ship approach, carrying desperate human beings fleeing the wars and the devastation, we won't be even allowed to think about accepting them.

The ships will be, not stopped and turned around, but torpedoed and sunk on sight. The drowned will be harvested for feed and fertiliser.

My only consolation is that I am old enough to not necessarily witness all of it.