Spherical Cow

I was wandering around Server Fault this evening and found someone looking for stories of the Best sysadmin accident. Here's mine:

Ten, plus years ago I was working on a project that required a SOCKS proxy. I had been using a program called WinGate that in addition to SOCKS proxy, provided a nice little Internet gateway functionality with NAT, DHCP and a few other niceties. This was before Windows had Internet Connection sharing, so WinGate let you share your dial-up modem with your Ethernet network.

I installed the software and started work on the SOCKS client functionality. Later that day, we lost internet connectivity. All of a sudden, it just stopped and nobody could access outside the company. We called our ISP and everything looked fine on the connection. The router was working fine. We just couldn't figure out what went wrong. I pitched in at one point as I had some knowledge of TCP/IP, but I didn't make any headway.

The next day our IT guy figured out that the DHCP server had given the address of the router out to someone's machine, and everyone was using it for the default gateway which didn't go anywhere. Later that day our IT guy came into my office and I asked, "So did you figure out who gave out the wrong IP address?" He said, "Yeah, it's you!"

WinGate had defaulted to running a DHCP server and had given out the router address to the first client whose previous address had expired. I was pretty red-faced for a week.

Linus has been very interested in making movies and would love to make a stop action LEGO short. In our "baby steps" mode of operation, here is the first one he's wanted to put on YouTube.

I've been struggling for the last week trying to get some cryptography code to behave the same on Windows and under Java. Yes, I searched Google, and I was even let down by my new favorite Stack Overflow. With all those misses, I thought this would be the perfect opportunity to improve my page ranking by trying to provide legitimate content that was useful to the general programming public.

The problem was trying to generate digital signatures in non-managed C++ under Windows and in Java and being able to verify the signature on the remote side, possibly in the other environment.

On the Java side we were using the Bouncy Castle libraries through the SPI layer. It seemed to be working perfectly and we were able to sign and verify between Java clients and servers. If we couldn't, that would mean we were doing something horribly wrong and the whole affair would be in jeopardy.

With the Java side working nicely, we moved on to getting the C++ and C# code working. For C#, we used the .NET RSACryptoServiceProvider. We generate the SHA-1 hash and then pass it to the SignHash method to generate the encrypted signature.

Now, on to C++. Our initial attempt used the Windows CryptoAPI, but I think it is at too low a layer and when we decrypted the signature, the byte count was completely wrong. The Java signatures came out to be 128 bytes for a 1024 bit key, but the WinCrypt came out to 127 bytes.

Not seeing a promising road ahead, we decided to write a wrapper DLL that would allow the unmanaged C++ code to call into the .NET RSACryptoServiceProvider to use the SignHash method we were using from the C# code. Now when we would receive the signature, the decrypted byte count was 35 which was closer to the 20 we thought we needed to match the SHA-1 digest, but we had no idea where the extra 15 bytes originated.

In the Java code, we were generating the signatures in a manual fashion, thinking that would be closer to the "metal" and allow easier reproduction on the C++ side. We generated the SHA-1 digest and then encrypted it with the private key. When we decrypted the .NET generated signature, the 35 bytes contained the same SHA-1 hash, but the 15 extra bytes were ahead of it. Sensing that we were really close, I started to look through the Java crypto API to see if anything else might be more suitable.

In the release notes for Bouncy Castle, I saw a reference to signature algorithms and SHA1WithRSA was listed as an option. I rewrote the signing code using the signature algorithm and low and behold, the signatures started matching. After spending a week trying to debug this we finally found our solution and everything is working great now.

But, what about those 15 bytes? Well dear readers let me point you to the special sauce. RFC 3447 describes how RSA cryptography is supposed to be done—properly. If you're in a rush, trying to meet a deadline it's not the sort of document you want to read. Heavy on math and a little difficult to follow, it's not the sort of thing you turn to first. I found a link to the RFC from another search and decided now that we had it working I would see if I could figure out where the 15 bytes came from. Scanning through the RFC, I came across the signature section. It turns out, to generate the signature, after generating the digest, you prepend an OID for the digest algorithm to the digest and then the entire thing is encrypted with the RSA private key. In the case of SHA-1 the OID is 15 bytes.

This was one of those great triumphs that I love about programming. You're stuck on a problem working to solve it and when you do, you've learned something more about the larger world of programming. Something probably known by many others, but you've discovered it anew and now it's yours to keep.

We finally received the prognosticated snowfall last night. My layman's measurement shows about 5-6 inches of snow.

One of the things I like about working in technology is you aren't limited in what you can do when the weather goes bad. I can work from home almost as if I were in the office. It makes it so I don't...have....to.....miss......work.......because.........of..........snow.

<sigh>

I saw the front page of the Seattle Times this morning saying, "Clinton to accept State job, aides say." Doesn't this just take you back to middle school? "I told Stacey that I like Dan, so she told Joe that if Dan asked me to go out that I would say yes. But I'm not sure I will say yes if he knows that I like him because, you know, I want it to be him." I guess the communication back channels we learn to use in the awkward years are more useful than we thought.

I'm a slow driver. I like to think it's because my senses are keenly aware of everything going on around me and the car and that I drive slowly because in order to take all those inputs into account in making my next driving decision, I have to reduce speed in order to allow for greater reaction time. The truth is that I'm just slow at most things.

So I pulled out onto the main street this afternoon and found a large SUV right on my tail. Pulling onto this street involves small blinds in both directions, so I may not have seen him when I turned and in that case, I cut him off. At any rate, I was going too slowly for his tastes so he honked at me which, lately, has really been irritating me, especially when the speed limit is 25 through this area. Remembering my driver's education from 22 years ago, I tapped on the brakes with the polite message of "Please stop following me so closely." Well, okay I skipped that part and went straight to laying on the brakes hard and slowing down a lot more. This did not please the driver behind me at all.

He decided that kicking his dog this morning wasn't enough, so he pulled around me on a two lane road, got in front of me and then gave me a taste of my own medicine by slowing down. He did me one better by stopping completely before reaching the stop light and put on his hazards. As I reflect on this, he was probably considering getting out of his car at this point.

Realizing I had pushed the wrong button on this guy, I just sat patiently and waited. I was prepared to wait for hours until he decided he was ready to move. He moved into the left turn lane and I moved into the right, putting us window to window. He rolled down his window and waved to me and I waved back with four more fingers than he did. He began shouting a lot of things at me, none of which I could hear with my window rolled up and with both boys in the back seat, that's probably best. I smiled at him and continued to wave with all five fingers and he pointed at me both vertically and horizontally and continued yelling at me.

When the light turned green and we both went our ways, my heart started beating again and the boys asked me why the man was yelling. I explained that he felt like I did something wrong to him and was upset about it.

Fast-forward a couple hours as I've been thinking about the incident and all the different ways it could have ended. What would I have said had we had a more face-to-face verbal exchange? I was coming up with all sorts of witty retorts and how I would have remained unemotional and let him get as angry with me as necessary. He was clearly in the wrong. I think he was driving too fast and I had every right to try to slow him down and get him away from the back of my car. Yeah, I'm completely in the right here. I didn't do anything to provoke him, I was just being my good little Christian self heading to my church office to help with some moving issues. In walks the Holy Spirit

"In the moment you stepped on your brakes you stopped looking at him with God's eyes. In that moment your disappointment in your finances and your parenting and your personal and spiritual life came together and you decided to blame that other driver for all of them. He's not what's wrong with the world, you're what's wrong with the world."

Okay, the last statement is my interpretation of what he said. But you know, he's right. I did fail in that moment. Given my chance to extend God's grace to another individual and I failed. I plan it out in my head how I'm going to show grace and kindness to my neighbor, but like the parable, I didn't expect this to be my neighbor. My knee jerk reaction (which I believe tells more about who I am) was to irritate the other driver right back. I wasn't thinking anything about what the other driver was going through. I didn't offer him the other cheek.

Where do I go from here? After thoroughly boring my boys at the church office, I took them on a walk at a nearby park. On our way back I stopped at a bench and told them how I had made a mistake. That my first reaction was a dangerous one and could have caused an accident and hurt them. I forgot to include the part about how God calls us to be better than that, so I hope they get that from Sunday School.

As we prayed before bed, I asked God to forgive me for the way I had behaved. I hate praying like this because I feel like I'm praying at them, but I want them to know this is what you do when you do wrong. You ask for forgiveness from the only one qualified to give it. I also asked that if I ever had the opportunity to make things right that I could do it to God's glory.

Everyone has a story like this. You've been me, or you've been the other guy. Whenever you tell your story, someone often shares theirs with you. In Christian circles you'll often get a smattering of, "Well this is how I dealt with someone like that..." I realized today that when I listen to those stories and think, "Wow, that would be a really good way to deal with that situation," it will never happen that way again. I am a different person, the other driver is a different person and the circumstances are different. It reminded me of Philippians 2:12 "Therefore, my dear friends, as you have always obeyed—not only in my presence, but now much more in my absence—continue to work out your salvation with fear and trembling," You can't take someone else's experience and put it to work in your own life. You have to work it out for yourself and don't forget the fear and trembling part.

My wife and I forgot our mobile phones this morning. As I was thinking about the ramifications I realized that before mobile phones, you could never have said, "I forgot my phone." That would be like saying, "I forgot my house."