My personal blog is about stuff I do, like and dislike. If you have any questions, feel free to contact. My views and opinions are naturally my own personal thoughts and do not represent my employer or any other organizations.

[ Full list of blog posts ]

Privacy Paradox, Riffle, Server Security

posted Aug 14, 2016, 3:28 AM by Sami Lehtinen   [ updated Aug 14, 2016, 3:28 AM ]

  • Studied Privacy Paradox. Well, yes. It's hard to tell people about something which is private and isn't being told to anyone.
  • Read Riffle paper [PDF] - Verifiable shuffle technique, which is supposed to provide bandwidth and computation-efficient anonymous communication. Interesting. Let's see. Riffle requires the servers in Riffle Group to have high bandwidth interconnects. Only client-server communication is 'bandwidth-efficient'.  Of course: "variable-length messages must be subdivided into fixed-length blocks and/or padded to prevent privacy leakage through message size". And as expected: "each client must perform PIR every round to remain resistant to traffic analysis attacks even if the client is not interested in any message". And naturally: "the total grows linearly with the number of clients" Leading to: " the primary limitation is the server to server bandwidth". Summary: Nothing new, just combining old stuff, very nice academic work, tinfoil hat stuff, not practical even in theory. For everyone else except cryptography & anonymization theory geeks this isn't interesting at all. No practical use whatsoever. kw: Dining-Cryptographer Networks (DC-Nets), verifiable mixnet, cover traffic, delays, mixnets, mixes, deanonymize, anonymize, anonymity, Aqua, anytrust, Riposte, Dissent, private information retrieval (PIR), clients, servers, client server, authenticated and encrypted channels, confidentiality, anonymity, authenticity, end-to-end encryption (E2EE), correctness, honest, adversary , power, security critical information, sensitive, sender, recipient, receiver, publisher, architecture, protocol, protocols, cryptographic, ciphertexts, plaintexts, algorithm, broadcast, trap protocols, trap bits, attack surface, rounds, accusation process, misbehaving server / client, accountable, malicious, secret key, zero-knowledge, plaintext, ciphertext, forgery, tamper, nonce, DeDiS Advanced Crypto library, ElGamal, Curve25519, Neff’s shuffle, Chaum-Pederson proof, Secretbox implementation, Salsa20 encryption, Poly1305 authentication, Herbivore, Intersection attacks, correlate, networking, network, internet, privacy.
  • Deep breath, deep breath. It seems that some system administrators prefer to configure servers bit differently than I do... They disable firewall completely, because it causes problems. As well as they do disable all automatic updates, because those cause problems. Aheem... Well, everyone got their own style. Actually that might be a good thing, it prevents most of 'problems' caused by updates and firewall. But might cause major backfire at some point of time in future. Who knows. I don't have statistics, maybe things would be just simpler that way. Or maybe not, because these servers are directly facing the Internet with standard Windows Server Services.
  • Something really different? Cookiecutter Shark

Linux & Windows - NTFS differences and potential problems

posted Aug 14, 2016, 2:11 AM by Sami Lehtinen   [ updated Aug 14, 2016, 2:11 AM ]

NTFS file names are quite different on POSIX systems vs on Windows. Some more or less interesting problems might arise from these. I've had experiences earlier, where  git internals got broken due to file naming confusions and issues.

First create files: testFile, TestFile, testfile, Testfile - Same or different file? On Windows, it's the same file. But on Linux it isn't. From this single observation grow many kind of interesting cases and problems, which all lead to the same root cause.

With git some files are named differently on Linux and Windows versions. Windows version thinks those files are same file as on Linux those are different files. It's just something which will guaranteed that things will get screwed up at some point. This is similar fail to the failures related with git and NTFS alternate streams, which were reported affecting git users a month or so ago. On Windows, some data goes into NTFS alternate stream, but on Linux it's being held in own separate file with only one primary stream. As examples files test and test:alternate. Phew, luckily the problems I got were small, but in some cases those might cause major headache and security & other problems.

I created the files and the content of the file is same as the filename. Funny thing is that on windows when I write type testfile I'll get testFile, testFile, testFile, testFile. It's the content of the first file four times over. It seems that type command loops through filename mask, even if I'm not using any wildcards. Probably the loop technically goes through the name variations, but the actual open command always ends up opening the same file.

Yet this is hardly anything unknown. All the issues are well known and are 'features' not bugs. Wikipedia got nice post about this. POSIX and Windows do use different namespaces for NTFS files. "In POSIX namespace, any UTF-16 code unit (case-sensitive) except U+0000 (NUL) and / (slash). In Win32 namespace, any UTF-16 code unit (case-insensitive) except U+0000 (NUL) / (slash) \ (backslash) : (colon) * (asterisk) ? (Question mark) " (quote) < (less than) > (greater than) and | (pipe)"

Yet more fun stuff, when I use powershell instead of cmd. I'll get exception when listing files.

PS T:\tst> dir
dir : The given path's format is not supported.
At line:1 char:1
+ dir
+ ~~~
    + CategoryInfo          : NotSpecified: (:) [Get-ChildItem], NotSupportedException
    + FullyQualifiedErrorId : System.NotSupportedException,Microsoft.PowerShell.Commands.GetChildItemCommand

This is because of the test:alternate filename, I've created on Linux in the tst path. cmd nicely lists the files.
T:\tst> dir
01.08.2016  00:00                18 test:alternate
02.08.2016  00:00                 9 testFile
31.07.2016  00:00                 9 TestFile
31.07.2016  00:00                 9 testFile
31.07.2016  00:00                 9 testfile

Next a few even more complex examples.

One great real world example is .git\logs\refs\remotes\origin\selectTest or SelectTest. (Windows path format) On Linux I had both, but with different content. But on windows, both files have same content which is the content of SelectTest file.

Windows 10 chkdsk did something quite expected. Actually this was just what I was expecting.

Deleted invalid filename test:alternate (51378) in directory 51301.
File 51378 has been orphaned since all its filenames were invalid
Windows will recover the file in the orphan recovery phase.
Correcting minor file name errors in file 51378.
Deleting index entry test:alternate in index $I30 of file 51378.

As stated, POSIX filenaming allows also filenames like \test\file and *test*file* and so on, including backslashes and stars. No surprises there, those just won't work too well on Windows. As well as filename like:
<haX> said: "Are we having fun yet?"
Yes, the previous like is the filename, including <>:"? characters. No problem (on Linux). Let's see what Windows likes about those filenames. I know, | is still missing. Just to be sure, let's create file with it. And just as expected, it worked flawlessly. So don't be surprised about file names like these. It's perfectly ok.

When using windows Cmd claims that directory is empty and Powershell and File Manager say that directory is corrupted and unreadable. Yeah, way to go. That's all folks in this case.

Using chkdsk on Windows, removed all files with "invalid file name". As additional test I also extracted 7zip file which contained 'invalid file names'. 7-zip seemed to be pretty smart about that and replaced non-allowed characters with _ underscores.

Ref: Wikipedia NTFS

Loyalty programs and customer data collection

posted Aug 14, 2016, 2:04 AM by Sami Lehtinen   [ updated Aug 14, 2016, 2:06 AM ]

  • Finally Finland's largest retail chain announced that they're going to utilize the customer loyalty data. I've been wondering for a long time, why they do provide loyalty cards and register it with transactions if they don't actually utilize the data. During all this big data hype stuff, it sounds silly that someone got all the data, but they're not using it for anything. Yet I guess that's the norm in many places. There's data, but it isn't being used. Or is minimally used. Like in this case it was used to track monthly purchase sum, but there's just so much you could use the data for. Some people are horrified that their purchases are being tracked. Of course those have been tracked all the time. It's just that the information collected hasn't been well visible to them. All the data is still there and it's required by law to be kept for 7 years, so I'm pretty sure they've got it. So if you use any kind of loyalty card, don't be shocked if that information is used for something else than just getting discounts. Also the S-Group advertising has been extremely bad. They often offer products that I've already got, even if they well know it. As they said in one post, yes, it makes customers to think that they've got bunch of dorks at their advertising and IT department. Or maybe their staff is just highly incompetent or totally lazy. I can just post random badly made advertising to everyone. I could do better job, but I just don't really care. I think I've criticized them about exactly this earlier. If the targeted advertising is done right, it's just beneficial for both parties and data isn't being "abused" for other purposes. S-Group is so large that someone would notice if they abuse data. I've also written about collected data abuse. Data researcher could just copy data, take it at home and as "criminal independent actor" do all kind of "illegal" mix and match processing with it, and then give the summarized reports back which are based on combining information which isn't allowed by law. But who knows that. Here's my report, ahem, I forgot to mention sources. I know they trust me. So don't ask any questions you don't want to get answers for. If anything bad happens, they can always blame the independent actor, even if the process was totally "approved" by the management unofficially. Even better, someone makes the code and process ready. And then the "summer worker" who just doesn't know running the batch with this particular data would be illegal runs it. Hahah. Isn't this how things work (?). This is bit harderin in EU than it's in US, but sure there's ways to get it done, if it's profitable enough. At these times of big data, if there's something you want to hide. How about not doing it at all? Some people were very worried that their alcohol purchases are being tracked. If you drink so much it's a problem, how about cutting it or stopping completely? Related to the topics: chilling effect, panopticon, self-censorship and privacy.
  • I also used their NFC loyalty program with Mobile Phone & App and it worked perfectly. Awesome. I've just seen way too many technical fails so I wasn't expecting it to work well, but it did. Of course we can derive many tinfoil hat theories from this. All information collected, may and can be used against you. It will be seen in court later what will happen.
  • Very nice related blog post by Petteri Järvinen: Who's benefiting from customer data collection (in Finnish). Well. It didn't contain anything new  at all and I agree with it. But that's just because all the stuff said in it was blatantly obvious.
  • Some other discussion brought up the exactly same point I've written about earlier. All modern POS systems already this information by default, has been collecting for a long time. So there's nothing new about this. As soon as the 'integrated payment terminal' was the norm, since then it has been totally obvious that information IS there, always when you pay by card. Or even without integration it would be possible to combine that information. It just hasn't been fully pre-prosessed' but it doesn't mean that the information wouldn't be recorded, nor available if required after just jumping through a few hoops.
  • Just like in one security audit, it was a clear requirement that all logging and history data has to be kept by the systems, preferably for 5 years. There just isn't one single location to quickly and easily fetch it from. But if required, it can be collected and processed as part of forensic analysis. Yes, it will take time, and require an effort, but is doable if required. Related Security Information and Event Management (SIEM).
  • As I've written earlier, it would be also nice if the customer would get some actual benefits from the loyalty program. Some loyalty programs provide really marginal benefits to the actual customer. That's why I simply opt-out. If I would opt-in I would need to give them my info, they would spam me with ads, as well I still would benefit maybe 5€ / year from the loyalty program if I'm lucky. Is that really worth of it? Plus many loyalty programs require met o carry awkward loyalty card or something similar. Why would I do that for 5€ / year? No way.

Databases, Computer Science, User Preferences, Loyalty Apps, DDG, Skype, Ransomware, Riffle

posted Aug 7, 2016, 10:07 AM by Sami Lehtinen   [ updated Aug 7, 2016, 10:07 AM ]

  • Interesting database article: Why Uber Engineering Switched From Postgres to MySQL - Lot's of information about indexing, transactions, replication, MVCC, WAL, data structures and commit internals. And even more interesting reply to that post by Oren Eini. Great comments and insights, I liked the reply more than the original post.
  • Studied Translation lookaside buffer (TLB) - Haven't actually heard the exact term, but looks like a standard caching procedure for address mapping information aka Address translation. Memory Management Unit (MMU) was naturally very familiar to me. And of course the huge & large memory pages as well as Page Size Extension (PSE) + classic Physical Address Extension (PAE) + Virtual Memory.
  • I forgot to mention one thing. user search is also a miserable failure. Especially if searching with name, instead of exact email address or phone number.
  • It's some times funny to notice how much different viewing options affect users. Some users watch stuff ONLY from Netflix. Some prefer ONLY traditional TV. Some do use other cloud services, like provided by TV stations. And some do prefer traditional downloadable file instead of streaming. This separates users in pretty different groups. Because if you try to 'share' media between user groups. It's probably going to fail. No, I won't watch TV. No I don't have Netflix. No I don't want to download files. Well, I guess Youtube is the most universal option of these. Afaik, Vimeo is better. But nobody uses it.
  • Started to use NFC loyalty cards as mobile App. This is pretty handy after all. I've alyways deeply hated stupid loyalty and member cards. It doesn't make any sense to carry such junk with you.
  • DuckDuckGo search has been failing repeatedly today. (20170727, YYYYMMDD)
  • Great work Microsoft. Skype does actually lose messages, even if it's MS cloud based. That's something that can't be tolerated. There has to be better option out there. Microsoft has successfully totally ruined Skype.
  • Ransomware as a Service (RaaS). Nice new cloud models and out sourcing are big business in cyber crime too.
  • Quickly checked out several posts about Riffle anonymous proxy. But it seems that most of the articles are absolutely horrible fluff. No information value at all. I'll have to read the original paper and think about it hard. I think things then will make sense, or not. I'll make a separate post about it with my thoughts.

SQL injection, Kernel 4.7, Wire, Dependency Injection, Inversion of Control, Double Ratchet Algorithm

posted Jul 31, 2016, 9:44 AM by Sami Lehtinen   [ updated Jul 31, 2016, 9:48 AM ]

  • Some developers are so afraid of SQL injection, that they do interesting solutions. I tried to search for 'selection' but the search always turns out only for 'ion'. Also if looking dor deletion or insertion search also turns out only for 'ion'. So they're stripping the SQL commands from user input which they're so afraid of. Interesting way to deal with the issue. But doing that basically introduced usability issues which can be counted as bug. High five for your security team. This also reminds me from services which strip all ' from strings, just to be sure. They're not stripping drop or or create table commands, interesting logic there. Probably the user account doesn't have rights to drop or create tables, because those aren't being filtered.
  • Briar - Is just something what I've envisioned and blogged about. Secure mesh networking for short range and / long range over the secure network (Tor) communications.
  • Linux kernel 4.7 released - Release notes - Foo over UDP IPv6 made me laugh. It's one quite simple way to deal with things. Anything over anything can be always done, if there's any way to transmit data. - ARM64 NUMA support is nice. - Wow, there was just so much awesome stuff, that those are just two things that popped up and got my attention while checking the release notes. But most importantly Briar also hides meta data and communication patterns. At least to some degree, low latency always reveals some comm timing patterns, when collected statistically over time. That's also where Tor traffic confirmation & correlation attacks are, if there's global advisory which can monitor all traffic patterns, not data.
  • After some testing, decided that is way too buggy. There are horrible fails which totally ruin user experience and user has to work hard to get around those fails. Yet the issues didn't seem too big, so I wonder why they haven't bothered to fix those. Most of issues were really basic fails, which just gives you impression of ad hock experimental code, which hasn't been actually designed to be used by normal users, but alpha testers who are able to figure out how to do things so that those work, instead of just expecting it to guide you so that everything works. - It's like they haven't used 5 minutes to test it. So fundamental, clear and obvious many of those flaws are. - Of course it's one way to work. We know it's broken, and we don't care. If you choose to use it, just do. If you whine, don't use it. There are plenty of other chat apps out there.
  • Read bit more about Dependency Injection. It's so obvious that actually the first Java program I wrote for production used it. That's back in 1997. I just didn't use any hype stuff for it but standard Java. The program was written from the very beginning to support 'customer specific plugins' which would extend a few base classes. Which naturally leads to Inversion of Control in this case. Also the service which contained customer specific code module was then injected in the main program client which to do the customer specific tasks.
  • Reminded my self about Double Ratchet Algorithm aka known as Axolotl. Most important stuff quoted from Wikipedia: "The protocol provides confidentiality, integrity, authentication, participant consistency, destination validation, forward secrecy, backward secrecy (aka future secrecy), causality preservation, message unlinkability, message repudiation, participation repudiation, and asynchronicity. It does not provide anonymity preservation, and requires servers for the relaying of messages and storing of public key material." - The constant DH operations are also the reason why it's so slow. Telegram does that kind of key renewal only weekly or between every 100 chat messages. Yet Telegram doesn't support secret chat session initialization unless the other party is also online to provide required keys.
  • Finished my summer reading Data and Goliath by Bruce Schneier. Nothing new. But a good summary. Everyone is being watched, monitored, recorded and logged. As well as even if data is 'deleted' there's no guarantee of it ever going away.

User Experience (UX), WiFI, Xubuntu, Error Messages, Telegram, Wire, Python, PRINCE2, Health

posted Jul 23, 2016, 2:06 AM by Sami Lehtinen   [ updated Jul 31, 2016, 9:41 AM ]

  • Linux User Experience. It took quite a while for me to figure out why WiFi / WLAN wasn't working. Reason? Access Point (AP) was configure to use n standard. But the old device only supported g standard. Guess what, Xubuntu, doesn't indicate any kind of reason for this fail. Just just tries to connect for a long time, and then fails. Yet another example of engineering, how to totally fail and even fail to give any kind of feedback or reasonable error message. After wondering for a while, I enabled gn mixed mode, and tada, everything started to work. Yet, the network list nicely shows the n network and prompts for password, even if the device naturally can't join the network. - Thank you once again for great engineering guys. - Phew.
  • Based on previous statement, I've always deeply liked applications which provide excellent feedback. Maybe I'll make my next program bullet proof? What? Really? Yes. It starts with try: statement, then all the meaningful code basically 'main()' and then there's except: with print(random.choice(['Fail', 'Error', 'Problem', 'U mad', 'Oh crap', 'Try again', 'Please fix it', 'Invalid user', 'Tough luck', 'You suck', 'Suddenly the Dungeon collapses']). No help text, no any further explanation. If something is wrong, it's the stupid user's fault. Because he/she's not using the program correctly. Please fix the fail (whatever it is), and try again (later). - Thank you. Ok ok, this is pretty much in BOFH category, but some program are just like this. Actually not catching the exceptions would provide default stack trace and give even some feedback and possibly meaningful exception information. But doing it like this, just makes solving the problem much more fun for the end users. Technically the application never crashes, it's totally well managed exit. So it's, great!
  • I'm wondering if the 'Telegram Secret Chat Canceled' is a bug, feature, design flaw or something else? Does anybody know. It's just so annoying that the secret chats get canceled more or less randomly. It's because of chat's getting "out of sync". But that shouldn't happen. What's the root cause of the problem? Is there some kind of security consideration which is source of the 'problem', so it's by design like that. Or is it some kind of fail. Anyway, it's guaranteed to deliver bad user experience (UX). But that's nothing new. It seems that this issue has persisted for several years. I think it's triggered by the immediate key renegotiation failing due to timeout or something like that. But what are the related parameters and so on.
  • Checked out Dependency injection. There are tons of frameworks which implement this for Python.
  • Tried Wire, immediately found out that the app delivers poor user experience (UX). Phone number entry sucked totally. Place holder stuck in place, country code separation very unclear. Confirmation entry sucked, link didn't work, required manual re-entry. Great, awesome start. Got issues with audio calls, even on 300 Mbit/s 5 GHz WiFi / WLAN and 1 Gbit/s Internet connection. If something is a fail, that is. Well. Gotta test it with friends too. But first impression wasn't that great. There's still many things to fix. Their web client is also broken, lulz. Great error message once again: "Problems with the connection. Please try again.". That doesn't mean anything at all, it's just as useful as the ridiculous error messages I've wrote about a few bullet points earlier.
  • Read a book about healthy living, it contained a ton of information. Yes, all the common topics we all see in TV documentaries, doctor shows, and on ever healthy living website. Nothing new. But it's good to remind yourself about stuff like that every now and then. Less calories, more nutrients, daily schedule and so on.
  • Read requirements for PRINCE2 certification and related documentation.

NFC loyalty / payment card, Telegram Data Retention Policy, Bad Code(?), Skype, Tosibox

posted Jul 22, 2016, 1:20 AM by Sami Lehtinen   [ updated Jul 22, 2016, 1:20 AM ]

  • I'm just wondering why the NFC credit card with loyalty features needs to be read twice when paying, even if the loyalty information has been registered earlier in the transaction. That's about it, I wonder what kind of engineers write this software. A) I register my loyalty identity using the card. B) Then it comes time to pay. I show the card, it says, loyalty information registered. C) Then I'll show the card again, and now the payment is accepted. Why why why, those fail guys got the step B? It's just repetition of the step A. It doesn't make any sense, and makes the the process suck. - Thank you engineers, once again.
  • I asked about Telegram chat history retention policy. It's just as it says on their page, but it's written in bit confusing style. So to make it clear. Telegram chat history is kept forever on Telegram servers / cloud / database. Unless, all parties of the chat delete it. Which basically means that most of chats are kept forever. And that's good to remember. If you delete something from chat, you'll only remove it from your personal view. It's still maintained in cloud for everyone else. Just as they say, you can send stuff to cloud and 'delete it', but it actually doesn't mean anything at all. When it's out there, it's there forever. kw: Telegram, chat, message, history, data, retention, deletion, removal, policy, IM, instant messaging, privacy, security.
  • To continue about crappy code. In one project there's integration (not written by me) which has option to write output as UTF-16 or CP1252. If you enable the option to write out CP1252 files, the data export gets just much slower. I wondered what the option was actually doing. It was pretty clear. If cp1252 option is enabled, add '.tmp' to export filename. Then run the export code as usual. After that open the temp file and read it into memory as one large string. Then remove every second byte from the string and then write it back to disk. - That's marvellous. First of all, it doesn't give a damn about character encodings actually. It'll basically work with < 128 ASCII by design. As well as it's phenomenally slow, because it modified the string in memory over and over again. - But as being said, it still works. And for exports which aren't too big, the time is only a few minutes, so it doesn't matter either when it's run in nighly batch run. Why bother doing things in a complex way, when a simple way works? Ehh... This code has been in production for over 10 years and works well. So there's nothing to complain about it actually. Maybe just a few core weeks or months wasted, but nobody really cares about that. I'm not sure if this works in category, acceptably bad, good enough. But based on the fact that it has been used for so long, I think it does. Yes, it could be in some cases a problem, but in this case it wasn't. So what's the problem? I've seen similar implementations of \r\n to \n conversion. Horrible, but it just works.
  • Microsoft kills Skype for Linux no more P2P the cloud will be only option. So much about 'distributed' or 'P2P' IM systems. They want full control.
  • Checked out Tosibox - It's a box designed to provide secure network for systems which require security. Yet when checking the list, the first question is that if some of the systems should be connected to the Internet at all. That's the question which has been asked in many cases when something bad has happened. Their use cases list businesses like: Water & Wastewater, Security, Robotics, Lightning, Industry Automation & AMchiner, Home Automation, Food & Beverage, Energy Sector and Building Automation. Ahem, some of these sectors are guaranteed to gather interest from extremely competent attackers. Just makes me wonder. Nothing, nothing at all against Tosibox, their products seem great and well. It's much better that there's a proper attempt to secure systems. But the question remains if it's enough. Based on what we've seen in other cases, the answer most likely is, no, it doesn't actually help. But it makes things bit harder for attackers.

Diceware, Dvorak, Mobile Hotspot, DDoS, Programming, Windows 10 Networking Update

posted Jul 21, 2016, 2:51 AM by Sami Lehtinen   [ updated Jul 23, 2016, 2:10 AM ]

  • Diceware - I can't believe I haven't written about this topic. Of course this is all old stuff and I've as everyone else has known about this for ages. But just not mentioning is a fail. Anyway. Diceware is one way to generate passwords. I don't personally really like it, because it makes passwords so long. I prefer higher level of entropy and shorter passwords. Yet as mentioned before, I often consider passwords just as pre-shared keys Don't care about the content, as long as it's random enough. Only thing which I think is great with Diceware is the fact that it can actually make entering complex passwords fast on mobile, where there's Swype or similar keyboard in use. Because the words being used are already in dictionary it could be great. Only bad thing is that most of apps actually disable dictionary when entering password. Which basically works against this entry method. Then you have to write really long password without dictionary, which is painful. Even more painful than entering shorter complex password? Also shorter complex passwords can be learned without any problem when being used daily. I'm not providing any examples, because I have my own set of password derivation systems.
    EFF New Wordlists for random Passphrases - "It contains many vulgar words" - Hahah. I wonder why people are so sensitive about passwords. If your totally random password is ub1G sH17 h3!d. What's wrong with that. Trust me, it's totally random. Nothing personal. Some password generators even have rules of filtering out offending passwords. But why? It reduces number of available options and entropy therefore.
  • Dvorak - Another thing, which everybody should know. I've known and used. But it seems that I haven't blogged about it. I've even used Finnish DAS version of it for a few years. Unfortunately many environments doesn't provide it by default. It would be just so awesome if Windows & Linux & Android would allow to select Finnish (DAS) keyboard when required. But without pre-existing support, it's too annoying to configure it. Even if number of systems I use daily is quite limited. 
  • How hard can it be to turn on Mobile Hotspot and join it with a laptop. There are just so freaking hopeless people out there. Sigh. Well, it worked, but it took more than one hour. It seems that WiFi (WLAN) is some kind of higher class of science with requires 10 years of academic studies + 10 years of experience to setup and use.
  • Absolutely awesome postmortem from Status Exchange Network. Also gives a good view how trivially easy it is to DDoS a website to it's knees, if it contains absolutely horrible and extremely bad recursive code. It's a good question why this trimming happens and view time and not when the data is being saved? Afaik, it's also a bad choice. Why to do same task several times, if doing it once is enough? - Laughable fail, but that happens. I've often mentioned that many programmers don't have a clue what their code actually does. It just works. This should be one of the classic examples.
  • Some neat stuff Windows 10 Anniversary update contains: TCP Fast Open (TFO) for zero RTT TCP connection setup. IETF RFC 7413, Initial Congestion Window 10 (ICW10) by default for faster TCP slow start, TCP Recent ACKnowledgment (RACK) for better loss recovery (experimental IETF draft), Tail Loss Probe (TLP) for better Retransmit Timeout response (experimental IETF draft) and TCP LEDBAT for background connections IETF RFC 6817. - Yet all of those options were preknown to me, many of those weren't actually used. Except TFO. I've often also tweak TCP stack settings for systems which require some tuning. It's neat to hear that those are being used by default and do not require registry or tuning with sysctl on Linux. But as we've seen, it'll probably take a long time before applications and server software supports those features. Except of course some high end projects like web browsers and most common web servers, etc.

NFC tags, RF shielding, intelligence & covert action, cyber security, CloudFlare, Access Controls & Audits

posted Jul 18, 2016, 9:07 AM by Sami Lehtinen   [ updated Jul 18, 2016, 9:07 AM ]

  • Read more about ISO/IEC 14443 tags. I've been writing some NFC related integrations. But I haven't had to deal with the low level stuff ever. Usually the application just uses "unique blob" and I don't care what that is. I got to the page because I were interested about ATQA SAK and ATS values + wanted to know how long tie UID is. Even if some apps seem to call it Serial Number? Which basically is the same thing. I'm glad that the password protection features worked well with NFC tags. As I've reported earlier some EddyStone BlueTooth Beacons are totally broken and won't basically allow setting any other than the static default password. Which of course is a major security fail.
  • Configured few tags to configure Guest WiFi + Open Company Web Page whenever touched. That's pretty neat. Printed a few standard plastic credit card size cards with NFC symbol and WiFi information in reception and meeting rooms.
  • Added internal tinfoil lining to my wallet to prevent remote NFC card reading without taking cards out of the wallet. It worked really nicely.
  • Watched long documentary about intelligence services and covert action and sabotage they're taking. Small groups of hackers, seeming to be independent actors. Naturally most of interesting questions and topics were classified and not discussed publicly. KW: Zero Day Attacks, Intelligence, Espionage, Sabotage. Quick Money, Hacktivist, Sending Political Message, Nation-State Actors, Cyber Weapons, Cyber Command, Air Gap Jumping, Weaponized Code, Advanced Capacity and Capability is highly Classified, International Law. Everything you can get away with is ok in Cyber Realm. Cyber-Attack Targeting and Intelligence. Critical Infrastructure Vulnerabilities. Botnets, Destructive Activities. Computer System Knock Out, State-sponsored Cyber Sleeper Cells, Data Exfiltration, Infiltrated Command And Control Systems, Nitro Zeus, Attribution hard.
  • New article about CloudFlare: We Have a Problem. Well, I think the article didn't provide any new information. That's just how CloudFlare works. For some cases it's ok, and for others, it isn't. I do use CloudFlare for a few free sites, but none of business sites are using it. Also SPAs got mentioned. MitM risks, maliciously intercept traffic, dragnet interception, TLS/SSL breaking, and so on.
  • The same issues apply to running your own email server. Sure it can be hacked, of course. But it still requires someone bothering to do so. Instead of collecting your data directly from 'cloud hosted email' as the usual mass surveillance.
  • New broke out that health care system allowed people to watch highly confidential diagnosis information of individuals without that access being logged. Surprised? - No. That's just how things usually work. In many cases system isn't being used as it's designed, and when there are such changes, some of the other features break simultaneously. In this case they claimed that the 'browsing mode' was only ment for system administrators. But for some reason it was enable for other personnel too. - Business as usual. There's nothing surprising with that. It's all the time that things like this happen. System is designed for case A but then there's some kind of need which requires configuration changes and then those are made as cheaply and quickly as possible. Which usually means that all the security controls and other 'what if' cases are purely forgotten. Because now it 'works' as they wanted it to work. And they can do what needs to be done.

Kali, Tails, Data Structures, Synchronization, Bitcoin Security, WiFi, H2, Warrant, E2EE, Mr.Robot

posted Jul 16, 2016, 1:26 AM by Sami Lehtinen   [ updated Jul 16, 2016, 1:26 AM ]

  • Did a set of training tasks & experiments with Kali and Tails. Just to maintain capability and skills if and when required.
  • Very nice article Data structures for external memory - Liked it, timings, measurements, different approaches and solutions.
  • Linux kernel synchronization primitives - sequential locks - That's one way of doing it. Using counter and checking it is very efficient. Yet it can lead to situation where lot of resources are wasted because tasks need to be repeated. Of course this is one of the problems that such locking could cause. This is one example of 'opportunistic locking' (OpLock) as it's called in Windows or Optimistic Concurrency Control I've written a lot about it earlier.
  • A list of Bitcoin related computer security incidents - Btw. This is quite awesome list. 38 incidents listed so far. Race condition, account take over, social engineering, backups, application vulnerabilities , insiders. All kind of attack vectors were used. Often even one trick isn't enough, they combine multiple to get around the obstacles preventing a successful hack.
  • Reminded myself about WiFi interference - troubleshooting basics. Nothing new. I knew it all. But if you are having trouble with WiFi, it's worth of checking this out.
  • Real–world HTTP/2: 400gb of images per day - That's one of the reasons why I've implemented HTTP/2 (h2 and h2c) for my services.
  • Asciinema - Why Python is better than Go - They listed all the stuff why I also really like Python.
  • Mr.Robot Easter Egg for S02E01 - Nice, nothing surprising yet. All 'standard' and well known encodings.
  • Microsoft: Our search warrant case: An important decision for people everywhere - This is interesting case. And something we've been waiting to see out. I personally think this is the only sane way to get it done and follows the Privacy Shield policies.
  • Telegram E2EE encryption is much faster than WhatsApp's. I guess WhatsApp is doing some overkill public key encryption repeatedly on every message making it slow and consuming a lot of battery and CPU resources. Afaik, that's bit excess. Like generating new 2048 fresh bit RSA key for every individual message and signing it with long term RSA key. Aka, ephemeral keys for every message. Yes yes, I know. There's documentation available which I could read. But I'm not that interested right now. I'm just reporting poor UX which in this case isn't great because of the slowness. Telegrams Approach where key is renewed using 'sane' interval is much better.
  • Something different? Checked Russian Tupolev Tu-214R ELINT aircraft specifications.

1-10 of 397