Planet HantsLUG

October 12, 2015

Steve Kemp

So about that idea of using ssh-keygen on untrusted input?

My previous blog post related to using ssh-keygen to generate fingerprints from SSH public keys.

At the back of my mind was the fear that running the command against untrusted, user-supplied, keys might be a bad plan. So I figured I'd do some fuzzing to reassure myself.

The most excellent LWN recently published a piece on Fuzzing with american fuzzy lop, so with that to guide me I generated a pair of SSH public keys, and set to work.

Two days later I found an SSH public key that would make ssh-keygen segfault, and equally the SSH client (same parser), so that was a shock.

The good news is that my Perl module to fingerprint keys is used like so:

my $helper = SSHKey::Fingerprint->new( key => "ssh ...." );
if ( $helper->valid() ) {
   my $fingerprint = $helper->fingerprint();

The validity-test catches my bogus key, so in my personal use-cases this OK. That said it's a surprise to see this:

skx@shelob ~ $ ssh -i 
Segmentation fault

Similarly running "ssh-keygen -l -f ~/" results in an identical segfault.

In practice this is a low risk issue, hence mentioning it, and filing the bug-report publicly, even if code execution is possible. Because in practice how many times do people fingerprint keys from unknown sources? Except for things like githubs key management page?

Some people probably do it, but I assume they do it infrequently and only after some minimal checking.

Anyway we'll say this is my my first security issue of 2015, we'll call it #roadhouse, and we'll get right on trademarking the term, designing the logo, and selling out for all the filthy filthy lucre ;)

October 12, 2015 10:40 AM

October 11, 2015

Alan Pope

Troubleshooting as a Choose Your Own Adventure


We have a lot of documentation and help in the Ubuntu project, and much of it is quite hostile to new users. We have IRC channels, mailing lists, dense & out of date wiki pages, lengthy and hard to consume forum posts & lengthy out of date tutorial videos. We also have some more modern tools such as AskUbuntu and Discourse.

Most are good for asking one specific question, but most aren’t well suited to guiding a user through a specific problem diagnosis. If you know what questions to ask, then a search engine might find part of the problem, or hopefully part of the solution.

However one aspect we don’t cover very well is guided self-support. This is very apparent in distribution upgrades. People often give up completely when an upgrade breaks down, rather than work through the problem as they would with anything else. There can be many reasons for this of course, but from what I’ve seen in the community, fixing a broken upgraded system is hard, and made harder when you only have a black screen, or tty to work with when you’re not an expert.


I’m thinking very specifically about a target audience of non-technical users. Someone who uses Ubuntu but wants to feel empowered to fix a problem themselves, and not have to call their wife or daughter or other ‘expert’ to fix it. I want someone to find a guide which gets them out of the upgrade issue. Obviously I’d like us to fix the problem which cause the issues, but I want to start here, because frankly it’s easier for me.


While I can hear some of my co-workers shouting “But popey, Snappy Core fixes the issue of broken updates!”, no it doesn’t, not today, and not while there are people running the traditional Debian based desktop – which I suspect will be for a good few years yet.


I can also hear those of you saying “I never do upgrades, I always clean install”, and I’m happy for you, but we have an upgrade system, people should be confident that it works, and when it doesn’t it should be fixable without going nuclear. Just the same as “Buy a new TV” isn’t usually the solution to “My TV Remote stopped working”.


In my mind a user might be more inclined to fix their system if there’s an easy to use ‘expert system’ which they can walk through to get them working again. I wondered about this some time back and considered the idea of a Choose Your Own Adventure style of troubleshooting issues, rather than just punting people to IRC when their system breaks. We have been helping people with broken upgrades for years, surely we can amass the technical knowledge into a self-service system to help future users.

One assumption I am making with this is that the person going through this is able to access the Internet (and thus this guide) via another machine or their phone. This seems semi-reasonable as we often get people in IRC or on other support resources asking for help with a broken upgrade. So the guide should work well on any browser and ideally on mobile too.

There are of course unfortunate people for which they have only one computer and no smartphone so have no way to access this resource easily. This system doesn’t cater for them well.


I made a little prototype using Twine which is an “an open-source tool for telling interactive, nonlinear stories.” – typically text adventure or “Interactive Fiction” games, but can be used for other things too. I chose Twine because it’s open source, easy to use, cross platform and simple. You can even create Twine ‘stories’ directly in your browser. Neat!

The output generated by Twine is HTML and can be customised and styled with a stylesheet. I did one simple bit of styling in that I used the Ubuntu font :).


Here’s what the map of the ‘world’ looks like inside Twine (after I carefully moved the blocks around so none criss-cross):-

Twine Screenshot

Editing the pages within the ‘story’ is super easy, linking to other pages is as simple as typing the name of a new page in square brackets:-

Editing a page

You can try out the very early prototype I made at Obviously this isn’t finished, won’t actually help anyone fix their system, and is hosted somewhere obscure, all “TODO” items.


There’s a few known issues with the above prototype twine:-

  • Browser back button exits the story, it should go back a step
  • Twine back button is hard to see, some CSS will fix that
  • Many of the pages are quite wordy, or technical, probably could be simplified


I wanted to share what I’d done to see if it seemed like a good idea, and whether people might be interested in helping create and curate content for it. The idea is to make a prototype and get some content rather than make the thing look especially pretty right now. The way I see it there’s some important steps to do:-

  • Confirm this isn’t a stupid idea (this blog post)
  • Figure out the best way to distribute this and make it accessible
  • Find people interested in helping
  • Identify a bunch of specific breakages that happen in Ubuntu upgrades
  • Craft diagnostic steps to identify one breakage scenario from another
  • Come up with robust solutions for each scenario
  • Test the scenarios
  • Publish and publicise the work

Things I haven’t yet considered, but probably should:-

  • Translations
  • Accessibility
  • Co-ordinating work
  • How far back I’ll roll my eyes at people telling me rolling distributions are better


Comments, suggestions or flames are welcome here or in my inbox.

by popey at October 11, 2015 07:00 AM

October 08, 2015

Adam Trickett

Bog Roll: Why you are heavier than you think...

Today I went into my local M&S to try on trousers. In the casual section the smallest available size is marked as 32" (81 cm in real units). They are way too large for me and would fall down without a belt or braces. They apparently make some ranges in 28" and 30", but only stock them at the larger stores. As I've mentioned before they are all about 2" larger than they, say, so I was actually trying on a pair of 34" trousers - which I already know are too large.

The point is if you think you haven't put on any weight because you are wearing the same size of trousers that you did a decade or more ago, then you are sadly mistaken as in the interval your trousers have got bigger like you have but the sizes have lied to accommodate the change.

I use to wear 34" trousers at university and went to 36" shortly after. My most recent trousers were 36" and so I assumed (in error) that I had not put on weight over the years. As it happens I had and the vanity sizing had mislead me. In fact if it were not for vanity sizing I would have noticed this earlier and I may have done something about it earlier...

Vanity sizing doesn't seem to apply to French clothing from Decathlon yet, but seems to be wide spread in the UK market.

October 08, 2015 09:51 PM

October 07, 2015

Steve Kemp

Generating fingerprints from SSH keys

I've been allowing users to upload SSH public-keys, and displaying them online in a form. Displaying an SSH public key is a pain, because they're typically long. That means you need to wrap them, or truncate them, or you introduce a horizontal scroll-bar.

So rather than displaying them I figured I'd generate a fingerprint when the key was uploaded and show that instead - This is exactly how github shows your ssh-keys.

Annoyingly there is only one reasonable way to get a fingerprint from a key:

  • Write it to a temporary file.
  • Run "ssh-keygen -lf temporary/file/name".

You can sometimes calculate the key via more direct, but less obvious methods:

awk '{print $2}' ~/.ssh/ | base64 -d | md5sum

But that won't work for all key-types.

It is interesting to look at the various key-types which are available these days:

mkdir ~/ssh/
cd ~/ssh/
for i in dsa ecdsa ed25519 rsa rsa1 ; do
  ssh-keygen -P "" -t $i -f ${i}-key

I've never seen an ed25519 key in the wild. It looks like this:

$ cat ~/ssh/
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcT04t6UpewqQHWI4gfyBpP/ueSjbcGEze22vdlq0mW skx@shelob

Similarly curve-based keys are short too, but not as short:

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLTJ5+  \
 rWoq5cNcjXdhzRiEK3Yq6tFSYr4DBsqkRI0ZqJdb+7RxbhJYUOq5jsBlHUzktYhOahEDlc9Lezz3ZUqXg= skx@shelob

Remember what I said about wrapping? Ha!

Anyway for the moment I've hacked up a simple perl module SSH::Key::Fingerprint which will accept a public key and return the fingerprint, as well as validating the key is well-formed and of a known-type. I might make it public in the future, but I think the name is all wrong.

The only code I could easily find to do a similar job is this node.js package, but it doesn't work on all key-types. Shame.

And that concludes this weeks super-happy fun-time TODO-list item.

October 07, 2015 10:56 AM

October 05, 2015

Philip Stubbs

Gear profile generator

Having been inspired by the gear generator found at I decided to have a go at doing this myself.

Some time ago, I had tried to do this in Java as a learning exercise. I only got so far and gave up before I managed to generate any involute curves required for the tooth profile. Trying to learn Java and the math required at the same time was probably too much and it got put aside.

Recently I had a look at the Go programming language. Then Matthias Wandel produced the page mentioned above, and I decided to have another crack at drawing gears.

The results so far can be seen on Github, and an example is shown here.

Gear Profile Example Image

What I have learnt

  • Math makes my head hurt.
  • The Go programming language fits the way my brain works better than most other languages. I much prefer it to Java, and will try and see if I can tackle other problems with it, just for fun.

by Philip Stubbs ( at October 05, 2015 10:32 AM

October 03, 2015

Adam Trickett

Bog Roll: Green gage chutney

Yesterday we made two batches of chutney: one was green gage and apple plus lots of spice and the second was just green gage based and less spicy. We now have used up all our green gages from this year - at long last...

October 03, 2015 09:20 AM

October 02, 2015

Alan Pope

DevRelCon 2015 Trip Report

Huh, this turned out to be longer than I expected. Don’t feel obliged to read it, it’s more notes for myself, and to remind me of why I liked the event.


On Wednesday I went to DevRelCon in London. DevRelCon is “a one day single track conference for technical evangelists, developer advocates and anyone interested in developer relations” setup by Matthew Revell. I don’t think there’s a lot of difference between my role (defined as Community Manager) at Canonical and Developer Relations so figured it would probably have appropriate content for my role. Boy was I right!

DevRelCon was easily the single most valuable short conference I’ve ever attended. The speakers were knowledgeable, friendly and accessible, and easy to understand. I took a ton of notes, and will distil some of them down here, but will almost certainly keep referring back to them over the coming months as I look to implement some of the suggestions I heard.


The event took place at The Trampery Old Street, in Shoreditch, the trendy/hipster part of London. We had access to a bright and airy ‘ballroom’ and were served with regular drinks, snacks and a light lunch. Free WiFi was also available, which worked well, but I didn’t use it much as we had little time away from the talks.


The day consisted of a mix of long (40 minute) talks, some shorter (20 min) ones, and a few ‘lightning’ talks. Having a mix of durations worked well I think. We started a little late, but Matthew massaged the timetable to claw back some time, and as it was a single track day there was no real issue if things didn’t run to time, as you weren’t likely to run off to another talk, and miss something.

All the talks were great, but I took considerably more notes in some than others, so this is represented below in that I haven’t listed every talk.

Morning Talks

Rob SpectreTwilio – Scaling Developer Evangelism.

This started off well as Rob plugged in his laptop and we were greeted with an Ubuntu desktop! He started off detailing some interesting stats to focus our minds on who we’re evangelising to. Starting with the 18.2m developers worldwide, given ~3Bn smartphone users, and ~4Bn Internet users that means ~0.08% have the capability to write code. There’s a 6% year on year increase in developers, mostly in developing nations, the ratio is less in the western world. So for example India could overtake every other countries’ developer count by ~2017.

Rob talked at length about the structure of Developer Evangelists, Developer Educators and the Community Team at Twilio. The talk continued to outline how valuable developers are, how at Twilio their Developer Evangelists are the ‘Red Carpet’ to their community. I was struck by how very differently we (Open Source projects) and Ubuntu specifically treat contributors to the project.

There was also a section on running developer events, and Rob spent some time talking about strategies for successful events, and how those can feed back to improve your product. He also talked a little about measurement, which was also going to be covered in later talks that day.

Another useful anecdote Rob detailed was regarding conversion of talks into blog posts. While a talk at an event can catalyse the 20-100 people in the room, converting that into a detailed tutorial blog post can bring in hundreds or thousands more.

The final slide in Rob’s talk was “Would you recommend this talk?” with a phone number attendees could send a score to. I thought this was a particularly cunning strategy. There was also talk of using the external IP address of the venue WiFi as one factor to determine the effectiveness / conversion rate of attendees.

Cristiano BettaBraintree – Tooling your way to a great devrel team

Cristiano started off talking about BattleHack which I’d not heard of. These are in person events where teams of developers get 24 hours to work on a project fuelled by coffee, cake and Red Bull to be in with a chance of winning a cash prize and an amusing axe.

He then went on to talk about a personal project to manage event sign-ups. This replaces tools like Eventbrite and MailChimp and enables Cristiano to get a better handle on the success of his events.

Laura CowenIBM – Building a developer community in an enterprise world

Laura started off giving some history of the products and groups inside IBM who are responsible for WAS, the public facing developer sites and the struggles she’s had updating them

The interesting parts for me came when Laura was detailing the pain she had getting developer time to update documentation and engage with users and communities outside their own four walls. Laura also talked about the difficulty when interfacing developers and marketing, their differing goals and some strategies for coping.

I recognised for example the frustration in people wanting to publish everything on a developer site, whether it’s appropriate to the target audience or not. Sometimes we (in Ubuntu) fail to deeply consider the target audience before we publish articles, guides or documentation. I think we can do better here. Pushing back on content creators, and finding the right place for a published article is worth it, if the target audience is to be defended.

Lightning Talks

Shaunak Kashyapelastic – Getting the measure of DevRel

In this short talk Shaunak gave some interesting snippets on how elastic measure community engagement. I found a couple interesting which I felt we might use in Ubuntu. Measuring “time to first response” for questions and issues by looking for responses from someone other than the first poster. While I don’t think they were actively using this data yet, getting an initial base line would be useful.

Shaunak also detailed one factor in measuring meet-up effectiveness. Typically elastic have 3-4 meet-ups a week, globally. For each meet-up group they measured “time since last meetup”. For those where there was a long delta between one meetup and the next they would consider actions. This could be contacting the group to see if there’s issues, offering assistance, swag & ‘meet up in a box’ kits, and finally disbanding the group if there wasn’t sufficient critical mass.

I took away a few good ideas from this talk, especially given recent conversations in Ubuntu about sparking up more meet-ups.

Phil LeggetterPusher – ROI on DevRel

Phil kicked off his short talk by talking about the ROI on DevRel by explaining Acquisition vs Activation. Where Acquisition of new developers might be them signing up for an account or downloading a product/sdk/library. Activation would be the conversion which might be measured differently per product. So perhaps “purchased paid API key” or “submitted app with N downloads”.

Phil then moved on to talk a bit about how they can measure the effectiveness of online tutorials or blog articles by correlating sign ups with traffic coming from those online articles. There was some more discussion on this later on including the effectiveness of giving away vouchers/codes to incentivise downloads, with some disagreement on the results of doing so.

Afternoon Talks

Brandon WestSendGrid – Burnout

I’ve been to many talks and discussions about burnout in developer communities over the years. This talk from Brandon one was easily the most useful, factual and actionable one. I also enjoyed Brandon’s attempts to inject Britishness into his talk which lightened the mood on a potentially very dark topic.

Brendon kicked off with a bit of a ‘woe is me’ #firstworldproblems introduction to his own current life issues. The usual things that affect a lot of people, but all happening at once, becoming overwhelming. We then moved on to defining burnout clearly, and what types of people are likely to suffer (clue: anyone) and some strategies for recognizing and preventing burnout.

A few key assertions / take-aways:-

“Burnout & depression are pathalogically indistinguishable”

“Burnout and work engagement are not exclusive or correlatable”

“Those most likely to burnout believe they are least at risk”

“Learn a skill on holiday – the holiday will be more rewarding”

Tim FogartyMajor League Hacking – Hackathons as a part of your DevRel strategy

Another great talk which built upon what Cristiano talked about earlier in the day – hackathons. Tim introduced different types of hackathons and which in his experience were more popular with developers and why.

Tim started by breaking down the types of hackathon – ‘hacking’, ‘corporate’ and ‘civic’ with the second being least popular as it’s seen as free labour by developers, and so they’re distrustful. He went on to reasons why people might run hackathons including evangelism, gathering (+ve and -ve) feedback, recruiting and mindshare (marketing).

He then moved on to strategies for making an impact, measuring the effect, sponsoring and how to craft the perfect demo to kick off the event.

Having never been to an in-person hackathon I found this another fascinating talk and will be following up with Tim Later.

Jessica Rose – Stop talking about diversity and just do it

Well. This was enlightening. This talk was excellent, and covered two main topics. First the focus was on getting a more diverse set of people running / attending / talking at your event. Some strategies were discussed and Jessica highlighted where many people go terribly wrong, assumptions people make and excuses people give.

The second part was a conversation about the ways in which an event can cater for as many people as possible. Here’s a highlight of some of the ways we discussed, but this obviously doesn’t cover everything:-

  • Attendees and speakers should be able to get in under their own power
  • Meal choices should be available – possibly beyond vegetarian/vegan
  • Code of Conduct
  • Sign language for talks
  • Well lit and safe feeling route from venue to accomodation
  • Space for breastfeeding / pumping, with snacks / drinks nearby
  • Non boozy spaces
  • Prayer room
  • After party with low noise level – and covered by Code of Conduct
  • Childcare
  • Professional chapparones (for under 18’s)
  • Diversity tickets & travel grants
  • Scale inclusivity to budget (be realistic about what you can achieve)

Lots to think about!

Joe NashBraintree – Engaging Students

Joe kicked off his fast-paced talk with an introduction to things which influenced how he got where he is, including “Twilio Heroes”. The talk was focussed on the UK University system, how to engage with students and some tips for running events which engage effectively with both CS and non-CS students.

James Milnerersi UK – So you want to run a meet-up

James talked about his personal experience running GeoDev Meet-Ups. I found this information quite valuable as the subject is under discussion in Ubuntu. James gave some great tips for running good meet-ups, and had a number of things he’s clearly learned the hard way. I hope to put some of his tips into action in the UK.

Dawn FosterLessons about community from science fiction.

This was a great uplifting talk to end the day. Dawn drew inspiration from her prolific science fiction reading to come up with some tips for people running community projects. I’ll give you a flavour with a few of them. Each was accompanied by an appropriate picture.

Picture: Star Trek Red Shirt
Lesson: “Participate and contribute in a way that people will notice and value your work”

Picture: Doctor Who TARDIS
Lesson: “Communities look different from inside then when viewing as an outsider”

Picture: Enders Game
Lesson: “Age is often unknown, encourage young people to contribute”

Dawn is a thoughtful, entertaining and engaging speaker. I’d certainly like to see more of her talks.

After Party

We all left the venue after the last talk and headed to a nearby trendy bar for a pint then headed home, pretty exhausted. A great event, I look forward to the next one.

by popey at October 02, 2015 02:00 PM