Fun with Password Hashing

I’ve been spending some time looking into password hashing best practices over the last week.

I’ve know about the BCrypt algorithm for a long time as the old BSD standard ‘high effort’ hashing algorithm designed to make brute forcing hashes difficult.

I’ve found that there is a new effort called SCrypt intended to generate a modern equivalent for dedicated password hashing as well as a ‘password expansion’ algorithm that appears to be in wide used called PBKFD2.

The PBKDF2 algorithm applies an HMAC using the key input to inject the salt and then to chain iterations of the process. It takes a user selected number of iterations that allows the work-load to generate the hash to be tuned to the scope of expected attacks (and to the performance of the target hardware). This allows modern high performance algorithms such as SHA-256 to be applied in a manner that makes the total calculation of the final salted hash resource intensive enough to reduce the likelihood of a successful brute force attack.

C++ 11, 14, 17 and Later

I’m quite familiar with much of the content of C++ 2011 as it represented a welcome and long desired step up in C++ language capability.

I’m less clear on the changes that live in the 2014 and 2017 incremental updates (smaller and more tightly focused) and the upcoming work that will feed into the next release.

Getting on top of this is becoming more important as I’m back in the C++ world and while almost everything should support C++ 11, the later iterations may be missing or fragmentary.

I’m spending a little time this afternoon looking through resources on this front, starting with the C++ 2011, 2014 and 2017 pages on wikipedia.

I have pulled the draft PDF file for 2011, 2014 and 2017 and grabbed the github source for the standard(s). These are quite useful, but seriously deep waters if only the changes are of specific interest. Interesting pointers on where to buy the official docs here with the 2017 version from ANSI at just over $100.00. The current working draft appears to be on github here. I may take a shot at building that into a readable PDF at some point…

I am also rather interested to see what is in boost these days. Back in the visual studio 2010 era, the TR1 content that eventually fed into C++ 11 was one of the bigger draws…now that is part of the core tools in general so I’m expecting a new range on interesting bits. The seem to have a github repo here.

And here is the C++ 20 page. Interesting that 20 looks to be much more like 11 than 14 and 17 (which were small tweaks).

Just Ordered the newish Josuttis book on C++ 17

Ordered a copy of the new Josuttis book this morning. I’ve found his standard library and templates books to be very much worth reading and I’m hoping that C++17 – The Complete Guide will provide a useful update to Stroustrup (which is getting a bit old).

I’m back in the world of C++ and the language is undergoing a lot more change these days than it had been in the early 2000’s. Keeping up with the future trajectory of C++ is very much on my radar.

Doing Some Unity Refresher Reading

On the flight to San Diego I did some Unity refresher reading and some thinking about game ideas that might be worth playing with.

I was looking for references to ScriptableObjects in the books I’ve got and didn’t find them. Guessing the focus there is too new to show up. I’ll post a bit on the ideas front over on PandaMallet in a bit.

It has been a slow summer on the home technical front and I really want to get that stuff rolling again as we move into fall. Plenty of interesting stuff to do, just need to find the time and decide to focus.

Re-seated Memory and SSD in my Router

…and so far, with the fan blowing on it and keeping the temperature down it seems to be doing better than it was yesterday.

It will be good to have a fallback machine available but I’m really hoping that this resolves the issue.

I do intend to keep a fan blowing across this ‘fanless’ machine as well once I get things back together. Crossing my fingers that this stays up now…

DTLS – Security for UDP

I had a short conversation yesterday about securing UDP data. When I dug around little it became clear that there is an existing, RFC documented protocol for handling that. I haven’t yet read the specification (though I likely will as it is an interesting technology).

There is a wikipedia description here and the primary RFC is here.

Being able to secure unsequenced and unreliable datagram traffic using a design that is reasonably well vetted seems extremely useful. There are places where UDP is uniquely useful and security is becoming a much larger issue in the market today.

Interesting looking sample code here.

A Bit of a Crazy Day

Today has wrapped up with repeated DNS failures from my PFSense boundary router. I’ve been trying to diagnose things for a good chunk of the evening and so far have little to show for it.

I’ve played with the DNS configuration and things don’t seem to have gotten better. I’ve got a fan blowing on it…temperature is down but it is still flaking. I’ve reseated the memory and SSD and so far it hasn’t failed again, but I’m still concerned.

I did finally order another similar small machine to act as either a replacement or a spare. The household firewall is one of those things that will really impact everyone here should it go down for a period of days (hours is bad enough) so the spare will be welcome.

Hoping to figure this out in more detail sometime soon. I am expecting to have an external fan blowing across the ‘fanless’ computer from now on to keep the temperature down and hopefully forestall any future problems. It had been getting warmer than I liked, but not so warm that I felt there was likely to be an issue…more to come as I work through this over the coming weekend…

Some Thoughts on Agile

I’ve done some development in an agile/scrum environment. There are a number of things it brings to the table that I see improving code quality in some ways and providing a more stable delivery schedule.

With all that being said, I don’t believe it is a silver bullet and I become a bit annoyed when I read books and articles that present it that way. I’ve been doing some refresher reading lately as we’re working with customers who run agile teams here and I’d like to help our team adopt useful bits of agile without harming our overall effectiveness. This is particularly challenging in a regulated environment like the medical device development we do here. It is also challenging when we’re doing contract development engineering and customers expect to have a contract that covers the work we’ll do before they start paying.

Stand-up

I’ve been running some sort of daily stand-up long before I heard of agile or scrum. If anything, scrum environments seem to make stand-up longer and more formal. In lead roles before I hit scrum environments, my stand-up usually involved going to wherever the bulk of the team was located (if I wasn’t already there…jobs varied) and having a short discussion with members of the team about how things were going.

One aspect of stand-up that I don’t endorse is the ‘blockers’ question that usually seems to be a rote part of the process. In a team of under ten people, there should never be blocking issues that last for more than a very short time. If you know who can help you then just ask (by email if they’re not immediately present). If you don’t know who to ask then either ask your lead or ask someone else and follow it up from there. If someone consistently fails to help those who need assistance then the team needs to stage an intervention and make it clear that we work as a team.

Blocking issues should never persist for long enough to make it to stand-up.

I also tend to use stand-up as a platform to address team wide issues and support issues that people encounter. Another side-effect of the ‘keep it short’ philosophy of scrum stand-ups are ‘information free’ comments. Telling the team that you’ve closed issues/stories ‘1123 and 1127’ and are starting work on ‘1134’ doesn’t really help to share information with the team. It may help the leadership track progress, but they have plenty of tools to do that already if you’re using any sort of software to manage work-flow.

I think this is enough for one day…I’ll add comments in another page in the near future…

< Prev | Next >

My Raspberry PI 4 Came In

I have now received my pi4 board (4 GB model to act as a developer machine for my older pi boards). So far so good…I’ve loaded up the latest raspian (buster) on the a 64 GB micro SD card and things came up just fine.

I’ve got it in a simple case with laser cut sides and a small fan to keep the chip cool…sinks installed on the CPU, memory and one other part. A friend got his board in a bit earlier and loaded it up without a fan on things and noted that the CPU became VERY warm. Looks to me as if this board is going to need active cooling in many cases…I expect this may keep the pi3 in service for some time as a low-power option for many builds.

I’ve only started loading up development related items…went to bed a bit early last night with apt installing emacs when I went to bed. I’ll likely get this much further along over the weekend and post a bit more detailing my experience with the board.

I am hoping to get an OS loaded on one of my USB3 SSD drives as well. This should be faster, bigger and more robust than the micro-SD for the sort of things I’ll likely be doing with this board. I’ll detail my experiences as I get there.