My personal blog is about stuff I do, like and dislike. If you have any questions, feel free to contact. My views and opinions are naturally my own personal thoughts and do not represent my employer or any other organizations.

[ Full list of blog posts ]

User Experience (UX), WiFI, Xubuntu, Error Messages, Telegram, Wire, Python, PRINCE2, Health

posted Jul 23, 2016, 2:06 AM by Sami Lehtinen   [ updated Jul 23, 2016, 2:11 AM ]

  • Linux User Experience. It took quite a while for me to figure out why WiFi / WLAN wasn't working. Reason? Access Point (AP) was configure to use n standard. But the old device only supported g standard. Guess what, Xubuntu, doesn't indicate any kind of reason for this fail. Just just tries to connect for a long time, and then fails. Yet another example of engineering, how to totally fail and even fail to give any kind of feedback or reasonable error message. After wondering for a while, I enabled gn mixed mode, and tada, everything started to work. Yet, the network list nicely shows the n network and prompts for password, even if the device naturally can't join the network. - Thank you once again for great engineering guys. - Phew.
  • Based on previous statement, I've always deeply liked applications which provide excellent feedback. Maybe I'll make my next program bullet proof? What? Really? Yes. It starts with try: statement, then all the meaningful code basically 'main()' and then there's except: with print(random.choice(['Fail', 'Error', 'Problem?', 'Oh crap', 'Try again', 'Please fix it', 'Invalid user', 'Tough luck', 'You suck', 'Suddenly the Dungeon collapses']). No help text, no any further explanation. If something is wrong, it's the stupid user's fault. Because he/she's not using the program correctly. Please fix the fail (whatever it is), and try again (later). - Thank you. Ok ok, this is pretty much in BOFH category, but some program are just like this. Actually not catching the exceptions would provide default stack trace and give even some feedback and possibly meaningful exception information. But doing it like this, just makes solving the problem much more fun for the end users. Technically the application never crashes, it's totally well managed exit. So it's, great!
  • I'm wondering if the 'Telegram Secret Chat Canceled' is a bug, feature, design flaw or something else? Does anybody know. It's just so annoying that the secret chats get canceled more or less randomly. It's because of chat's getting "out of sync". But that shouldn't happen. What's the root cause of the problem? Is there some kind of security consideration which is source of the 'problem', so it's by design like that. Or is it some kind of fail. Anyway, it's guaranteed to deliver bad user experience (UX). But that's nothing new. It seems that this issue has persisted for several years. I think it's triggered by the immediate key renegotiation failing due to timeout or something like that. But what are the related parameters and so on.
  • Checked out Dependency injection. There are tons of frameworks which implement this for Python.
  • Tried Wire, immediately found out that the app delivers poor user experience (UX). Phone number entry sucked totally. Place holder stuck in place, country code separation very unclear. Confirmation entry sucked, link didn't work, required manual re-entry. Great, awesome start. Got issues with audio calls, even on 300 Mbit/s 5 GHz WiFi / WLAN and 1 Gbit/s Internet connection. If something is a fail, that is. Well. Gotta test it with friends too. But first impression wasn't that great. There's still many things to fix. Their web client is also broken, lulz. Great error message once again: "Problems with the connection. Please try again.". That doesn't mean anything at all, it's just as useful as the ridiculous error messages I've wrote about a few bullet points earlier.
  • Read a book about healthy living, it contained a ton of information. Yes, all the common topics we all see in TV documentaries, doctor shows, and on ever healthy living website. Nothing new. But it's good to remind yourself about stuff like that every now and then. Less calories, more nutrients, daily schedule and so on.
  • Read requirements for PRINCE2 certification and related documentation.

NFC loyalty / payment card, Telegram Data Retention Policy, Bad Code(?), Skype, Tosibox

posted Jul 22, 2016, 1:20 AM by Sami Lehtinen   [ updated Jul 22, 2016, 1:20 AM ]

  • I'm just wondering why the NFC credit card with loyalty features needs to be read twice when paying, even if the loyalty information has been registered earlier in the transaction. That's about it, I wonder what kind of engineers write this software. A) I register my loyalty identity using the card. B) Then it comes time to pay. I show the card, it says, loyalty information registered. C) Then I'll show the card again, and now the payment is accepted. Why why why, those fail guys got the step B? It's just repetition of the step A. It doesn't make any sense, and makes the the process suck. - Thank you engineers, once again.
  • I asked about Telegram chat history retention policy. It's just as it says on their page, but it's written in bit confusing style. So to make it clear. Telegram chat history is kept forever on Telegram servers / cloud / database. Unless, all parties of the chat delete it. Which basically means that most of chats are kept forever. And that's good to remember. If you delete something from chat, you'll only remove it from your personal view. It's still maintained in cloud for everyone else. Just as they say, you can send stuff to cloud and 'delete it', but it actually doesn't mean anything at all. When it's out there, it's there forever. kw: Telegram, chat, message, history, data, retention, deletion, removal, policy, IM, instant messaging, privacy, security.
  • To continue about crappy code. In one project there's integration (not written by me) which has option to write output as UTF-16 or CP1252. If you enable the option to write out CP1252 files, the data export gets just much slower. I wondered what the option was actually doing. It was pretty clear. If cp1252 option is enabled, add '.tmp' to export filename. Then run the export code as usual. After that open the temp file and read it into memory as one large string. Then remove every second byte from the string and then write it back to disk. - That's marvellous. First of all, it doesn't give a damn about character encodings actually. It'll basically work with < 128 ASCII by design. As well as it's phenomenally slow, because it modified the string in memory over and over again. - But as being said, it still works. And for exports which aren't too big, the time is only a few minutes, so it doesn't matter either when it's run in nighly batch run. Why bother doing things in a complex way, when a simple way works? Ehh... This code has been in production for over 10 years and works well. So there's nothing to complain about it actually. Maybe just a few core weeks or months wasted, but nobody really cares about that. I'm not sure if this works in category, acceptably bad, good enough. But based on the fact that it has been used for so long, I think it does. Yes, it could be in some cases a problem, but in this case it wasn't. So what's the problem? I've seen similar implementations of \r\n to \n conversion. Horrible, but it just works.
  • Microsoft kills Skype for Linux no more P2P the cloud will be only option. So much about 'distributed' or 'P2P' IM systems. They want full control.
  • Checked out Tosibox - It's a box designed to provide secure network for systems which require security. Yet when checking the list, the first question is that if some of the systems should be connected to the Internet at all. That's the question which has been asked in many cases when something bad has happened. Their use cases list businesses like: Water & Wastewater, Security, Robotics, Lightning, Industry Automation & AMchiner, Home Automation, Food & Beverage, Energy Sector and Building Automation. Ahem, some of these sectors are guaranteed to gather interest from extremely competent attackers. Just makes me wonder. Nothing, nothing at all against Tosibox, their products seem great and well. It's much better that there's a proper attempt to secure systems. But the question remains if it's enough. Based on what we've seen in other cases, the answer most likely is, no, it doesn't actually help. But it makes things bit harder for attackers.

Diceware, Dvorak, Mobile Hotspot, DDoS, Programming, Windows 10 Networking Update

posted Jul 21, 2016, 2:51 AM by Sami Lehtinen   [ updated Jul 23, 2016, 2:10 AM ]

  • Diceware - I can't believe I haven't written about this topic. Of course this is all old stuff and I've as everyone else has known about this for ages. But just not mentioning is a fail. Anyway. Diceware is one way to generate passwords. I don't personally really like it, because it makes passwords so long. I prefer higher level of entropy and shorter passwords. Yet as mentioned before, I often consider passwords just as pre-shared keys Don't care about the content, as long as it's random enough. Only thing which I think is great with Diceware is the fact that it can actually make entering complex passwords fast on mobile, where there's Swype or similar keyboard in use. Because the words being used are already in dictionary it could be great. Only bad thing is that most of apps actually disable dictionary when entering password. Which basically works against this entry method. Then you have to write really long password without dictionary, which is painful. Even more painful than entering shorter complex password? Also shorter complex passwords can be learned without any problem when being used daily. I'm not providing any examples, because I have my own set of password derivation systems.
    EFF New Wordlists for random Passphrases - "It contains many vulgar words" - Hahah. I wonder why people are so sensitive about passwords. If your totally random password is ub1G sH17 h3!d. What's wrong with that. Trust me, it's totally random. Nothing personal. Some password generators even have rules of filtering out offending passwords. But why? It reduces number of available options and entropy therefore.
  • Dvorak - Another thing, which everybody should know. I've known and used. But it seems that I haven't blogged about it. I've even used Finnish DAS version of it for a few years. Unfortunately many environments doesn't provide it by default. It would be just so awesome if Windows & Linux & Android would allow to select Finnish (DAS) keyboard when required. But without pre-existing support, it's too annoying to configure it. Even if number of systems I use daily is quite limited. 
  • How hard can it be to turn on Mobile Hotspot and join it with a laptop. There are just so freaking hopeless people out there. Sigh. Well, it worked, but it took more than one hour. It seems that WiFi (WLAN) is some kind of higher class of science with requires 10 years of academic studies + 10 years of experience to setup and use.
  • Absolutely awesome postmortem from Status Exchange Network. Also gives a good view how trivially easy it is to DDoS a website to it's knees, if it contains absolutely horrible and extremely bad recursive code. It's a good question why this trimming happens and view time and not when the data is being saved? Afaik, it's also a bad choice. Why to do same task several times, if doing it once is enough? - Laughable fail, but that happens. I've often mentioned that many programmers don't have a clue what their code actually does. It just works. This should be one of the classic examples.
  • Some neat stuff Windows 10 Anniversary update contains: TCP Fast Open (TFO) for zero RTT TCP connection setup. IETF RFC 7413, Initial Congestion Window 10 (ICW10) by default for faster TCP slow start, TCP Recent ACKnowledgment (RACK) for better loss recovery (experimental IETF draft), Tail Loss Probe (TLP) for better Retransmit Timeout response (experimental IETF draft) and TCP LEDBAT for background connections IETF RFC 6817. - Yet all of those options were preknown to me, many of those weren't actually used. Except TFO. I've often also tweak TCP stack settings for systems which require some tuning. It's neat to hear that those are being used by default and do not require registry or tuning with sysctl on Linux. But as we've seen, it'll probably take a long time before applications and server software supports those features. Except of course some high end projects like web browsers and most common web servers, etc.

NFC tags, RF shielding, intelligence & covert action, cyber security, CloudFlare, Access Controls & Audits

posted Jul 18, 2016, 9:07 AM by Sami Lehtinen   [ updated Jul 18, 2016, 9:07 AM ]

  • Read more about ISO/IEC 14443 tags. I've been writing some NFC related integrations. But I haven't had to deal with the low level stuff ever. Usually the application just uses "unique blob" and I don't care what that is. I got to the page because I were interested about ATQA SAK and ATS values + wanted to know how long tie UID is. Even if some apps seem to call it Serial Number? Which basically is the same thing. I'm glad that the password protection features worked well with NFC tags. As I've reported earlier some EddyStone BlueTooth Beacons are totally broken and won't basically allow setting any other than the static default password. Which of course is a major security fail.
  • Configured few tags to configure Guest WiFi + Open Company Web Page whenever touched. That's pretty neat. Printed a few standard plastic credit card size cards with NFC symbol and WiFi information in reception and meeting rooms.
  • Added internal tinfoil lining to my wallet to prevent remote NFC card reading without taking cards out of the wallet. It worked really nicely.
  • Watched long documentary about intelligence services and covert action and sabotage they're taking. Small groups of hackers, seeming to be independent actors. Naturally most of interesting questions and topics were classified and not discussed publicly. KW: Zero Day Attacks, Intelligence, Espionage, Sabotage. Quick Money, Hacktivist, Sending Political Message, Nation-State Actors, Cyber Weapons, Cyber Command, Air Gap Jumping, Weaponized Code, Advanced Capacity and Capability is highly Classified, International Law. Everything you can get away with is ok in Cyber Realm. Cyber-Attack Targeting and Intelligence. Critical Infrastructure Vulnerabilities. Botnets, Destructive Activities. Computer System Knock Out, State-sponsored Cyber Sleeper Cells, Data Exfiltration, Infiltrated Command And Control Systems, Nitro Zeus, Attribution hard.
  • New article about CloudFlare: We Have a Problem. Well, I think the article didn't provide any new information. That's just how CloudFlare works. For some cases it's ok, and for others, it isn't. I do use CloudFlare for a few free sites, but none of business sites are using it. Also SPAs got mentioned. MitM risks, maliciously intercept traffic, dragnet interception, TLS/SSL breaking, and so on.
  • The same issues apply to running your own email server. Sure it can be hacked, of course. But it still requires someone bothering to do so. Instead of collecting your data directly from 'cloud hosted email' as the usual mass surveillance.
  • New broke out that health care system allowed people to watch highly confidential diagnosis information of individuals without that access being logged. Surprised? - No. That's just how things usually work. In many cases system isn't being used as it's designed, and when there are such changes, some of the other features break simultaneously. In this case they claimed that the 'browsing mode' was only ment for system administrators. But for some reason it was enable for other personnel too. - Business as usual. There's nothing surprising with that. It's all the time that things like this happen. System is designed for case A but then there's some kind of need which requires configuration changes and then those are made as cheaply and quickly as possible. Which usually means that all the security controls and other 'what if' cases are purely forgotten. Because now it 'works' as they wanted it to work. And they can do what needs to be done.

Kali, Tails, Data Structures, Synchronization, Bitcoin Security, WiFi, H2, Warrant, E2EE, Mr.Robot

posted Jul 16, 2016, 1:26 AM by Sami Lehtinen   [ updated Jul 16, 2016, 1:26 AM ]

  • Did a set of training tasks & experiments with Kali and Tails. Just to maintain capability and skills if and when required.
  • Very nice article Data structures for external memory - Liked it, timings, measurements, different approaches and solutions.
  • Linux kernel synchronization primitives - sequential locks - That's one way of doing it. Using counter and checking it is very efficient. Yet it can lead to situation where lot of resources are wasted because tasks need to be repeated. Of course this is one of the problems that such locking could cause. This is one example of 'opportunistic locking' (OpLock) as it's called in Windows or Optimistic Concurrency Control I've written a lot about it earlier.
  • A list of Bitcoin related computer security incidents - Btw. This is quite awesome list. 38 incidents listed so far. Race condition, account take over, social engineering, backups, application vulnerabilities , insiders. All kind of attack vectors were used. Often even one trick isn't enough, they combine multiple to get around the obstacles preventing a successful hack.
  • Reminded myself about WiFi interference - troubleshooting basics. Nothing new. I knew it all. But if you are having trouble with WiFi, it's worth of checking this out.
  • Real–world HTTP/2: 400gb of images per day - That's one of the reasons why I've implemented HTTP/2 (h2 and h2c) for my services.
  • Asciinema - Why Python is better than Go - They listed all the stuff why I also really like Python.
  • Mr.Robot Easter Egg for S02E01 - Nice, nothing surprising yet. All 'standard' and well known encodings.
  • Microsoft: Our search warrant case: An important decision for people everywhere - This is interesting case. And something we've been waiting to see out. I personally think this is the only sane way to get it done and follows the Privacy Shield policies.
  • Telegram E2EE encryption is much faster than WhatsApp's. I guess WhatsApp is doing some overkill public key encryption repeatedly on every message making it slow and consuming a lot of battery and CPU resources. Afaik, that's bit excess. Like generating new 2048 fresh bit RSA key for every individual message and signing it with long term RSA key. Aka, ephemeral keys for every message. Yes yes, I know. There's documentation available which I could read. But I'm not that interested right now. I'm just reporting poor UX which in this case isn't great because of the slowness. Telegrams Approach where key is renewed using 'sane' interval is much better.
  • Something different? Checked Russian Tupolev Tu-214R ELINT aircraft specifications.

StartSSL / StartEncrypt, UX, RLWE, QKD, Post Quantum Crypto, Ring Buffers, Tor Honey Onions

posted Jul 10, 2016, 2:31 AM by Sami Lehtinen   [ updated Jul 10, 2016, 2:32 AM ]

  • / StartEncrypt Automatic SSL Certificate verification process was kind of broken (?). But funny or not, it's just about the definition. What's secure and what isn't. Why some sites do allow users to upload binary files and why some sites do allow users to redirect. Those are also 'vunerabilities' on the domain / site being authenticated. So in this case, it's so simple to say that it's broken. What's broken? It's not broken. The sites being verified are in one sense broken. It doesn't matter those are major actors. They'll let 'others to use their domain' which is also inherent security risk. As in my previous examples, I've said this is totally normal and this is going to happen over and over again. Is there some kind of official specification what's being considered 'secure' and what isn't? It's just the classic falling between cracks. Single thing isn't a problem, but when you combine those, it'll becomes a huge problem. Then there was the fact that the StartEncrypt client didn't verify the StarEncrypt server certificate. That happens, nothing new. There are plenty of programs which do not do that. And as I've said earlier even some banks recommend no to check certificates, because renewing those is pain in the.... Then it didn't check the MIME type. It was claimed that this allows getting certificates for any site which allows to upload avatars / pictures. That's yet another disputable claim. Of course those sites won't allow uploading such binary files, if those aren't being recognized as images. Or maybe some do, which means that those sites are also broken, and things are again falling between multiple cracks. Which sites allows 'binary file uploads' as images, which aren't images? Probably many. It's just simply too hard to check what the binary file actually contains, right? Incorrect file access rights (666) for the SSL private key is yet another example. Yes, file is readable or can be modified by anyone. But why would anyone give access to the server for non-trusted users? I know, it's yet another issue in this long line of issues. This wasn't anything new, it's always the same problem making hard things easy or easy things hard. There will be always problems at some level. It's also funny to notice that if security tools are this badly broken, what you would expect from most of so called 'normal' software? Hah, security is almost equal to none. Yet of course this shouldn't surprise anyone.
  • Often I wonder what kind of people are designing the UX. Like in case where you first compose message and then send it and it ends up with some kind of error. Why you can't modify the message, there's only resend option which doesn't allow you to edit the message. I've seen this same problem with multiple apps. I just could say bleep about this. All you can do you can delete the message recompose message and possibly copy paste everything from the previous message to the new message and fix the error. But that's just stupid. Is it really so hard to allow editing message once it's placed in outbound queue? - Yes seems to be the answer. Technically that's nearly impossible engineers say.
  • Quote from F-Secure: "Key endpoint protection strategies: * Hardening * Prevent malicious applications * Isolate applications from resources"
  • Ring Learning with Errors (RLWE) - New cryptographic algorithms to protect against quantum computer cryptanalysis.
  • Of course I had to check Quantum key distribution (QKD) too. We're living interesting times. I were actually familiar with this stuff, but it's good to remined you ever now and then about stuff you're not actually using.
  • Google's Security article Experimenting with Post-Quantum Cryptography.
  • Nice old article about Ring Buffers and implementations. - Nothing new, been there done that. But it explains well a few possible fail points if you're implementing ring buffer from scratch.
  • More Tor attacks. Honey Onions

LTE-M, Tesla Crash, Securing Ubuntu, TCP Stack, Cracking FDE, Local Tech Guy

posted Jul 5, 2016, 8:33 PM by Sami Lehtinen   [ updated Jul 5, 2016, 8:36 PM ]

  • Checked out LTE-M and compared it against Sigfox and LoRa. IoT future is here. 'Best' solution for depends from the needs of the actual application is being used for. In Finland Operators haven't forgotten M2M market at all. But maybe situation has been different in other countires. Depending from use case the main problem is the modem cost. But now you can get really cheap GRPS modems from China. Yet those naturally aren't LTE modems.
  • Tesla Autopilot crash: A bad joke, but this somehow reminded me about: Darwin Awards movie, Autopilot Cruise Control scene. Afaik, Tesla Autopilot is an assistant, not a fully autonomous driving system. Which inherently means that it requires constant supervision. Using boats or planes autopilot won't either relieve you from monitoring where you're going to end up. Some of the news articles were titled with pure lies. 'Autonomous car crashed and killed', hmm, nope. Tesla isn't one. It's always important to acknowledge the true capabilities of a system and even then not blindly trust it. We all knew it was going to happen sooner or later.
    This is closely related to the many of the topics I've posted earlier where people trust systems without questioning those and well, we all know what's going to happen. Same rules applies to anything like fully automated stock investing. It can just go awry at times. Even if it would work perfectly in "normal market conditions" there are situations which will throw it totally off and that's the time when you're going to pay. Luckily that causes only loss of money, not loss of life.
  • My First 10 Minutes On a Server - Primer for Securing Ubuntu - A nice very basics article. Yet it didn't contain anything new. Btw. With dynamic IP you can add your service providers IP range(s). It isn't perfect, but it's still much smaller portion of IP addresses than leaving SSH open globally. This is where the IPv6 helps a lot, because you've probably got just a few /32 ranges to add. If you want to know more details you should check out some of the proper OS hardening guides.
  • Great post about TCP stack by Julia Evans - Sure. As with everything else, there's no perfect fits everyone solution. Many embedded devices use very small fixed Window with TCP. In general that was just same question as it is with standards, frameworks or something else. Use light simple one, use one mega bloated 'fits for everything' one. Or build your own. Which one happens to be the best solution. Also the build your own can be very highly optimized for your needs, but it also might require a lot more work than you initially thought it would. This is just like the question why we use TCP instead of UDP. most often it's just not worthwhile to re-invent something which is already working well enough.
    As example UDP networking and DHT turned out to be really hard for OpenBazaar team. You don't even know what kind of trouble you're going to get into before you try. There are just so many cases and 'problems' to deal with. Naive implementation might barely work, and it's guaranteed to be worse than Linux Kernel TCP.
  • Breaking Android Full Disk Encryption - Let's see. Very long post, but it's all good and worth of reading. Yet again in this case again, it wasn't the magic AES-256 which was broken. But steps related to key management. It's with of noting that even using TrustZone and Hardware-backed Keystore (KeyMaster / TEE) protection didn't protect the key. I'm sure there are many other defected encryption products out there, it's just the case that probably no-one has bothered to take a good look at those.
  • It's so nice to be IT department and tech guy and local support for all the friends & family. Helped people to change and use (proper) passwords, tether laptop and tablet with mobile phone. As well as consulted on VPN services & Torrent Seedboxes & Cloud Torrent Clients, install WiFi Repeaters so that whole terrace gets properly covered. - Something different than programming, operating systems and cloud servers this time.

Passwords, Brotli, Compression, SSD, Virtualization, Optimization, Physical Web, CloudFlare, Python

posted Jul 5, 2016, 8:25 PM by Sami Lehtinen   [ updated Jul 5, 2016, 8:26 PM ]

  • About passwords and disabling paste: I think it would be highly beneficial in some cases to record password writing patterns & timings. If it's important system which requires high security. If key administrators try to login under "influence" whatever that is, drugs, booze, someone pointing a gun at them, extremely tired or very stressed, login would simply fail. Because you're not being "you" then. Requirement to write a bit longer phrase to check writing timings & patterns would pretty much ruin your day if your baseline is off. kw: password, passwords, security, cns, drugs, stress, influence
  • Lossless compression with Brotli - A very nice article by Dropbox guys. Yet no news.
  • Compression is also one of the fields where there's no "right solution" it always depends on so many factors. In some cases compression is very beneficial in some other cases it really ruins your day. One of the cases where we've been thinking about compression options is installing large system images over network. In some cases installation is done over 100 Mbit/s network with i7 CPU. And in some cases it's done over 1Gbit/s network with Atom CPU. This is more than enough to totally change what's required for the compression and where the bottleneck in the process is. In best case compression doesn't only save space, it also saves a lot of time.
  • Checked some funny statistics. My SSD has been powered on for over 10000 hours in last three years. Yet it's still in full condition 0% worn. This will mean that I'm going to probably expire personally before this drive expires.
  • Super long discussions with administrator friends about KVM, OpenVZ, LXC, and so on. Yawn, I could say. But it's not that simple, there's no single it's the best solution. It depends so much. I personally would go for LXC if and when running my own personal virtualized platforms. Also long discussions about if SSD / HDD manual allocation is better than SSD cached HDD storage system. Well well, it depends. Does the server proximity matter or not. Is higher bandwidth better than low latency or unlimited traffic. Is faster disk versus more RAM better. And many more other similar double edged sword discussion points.
  • Fixed the issues with Physical Web. It seems that they now only accept HTTPS urls and even HTTPS -> HTTP redirection doesn't work.
  • Cloudflare opened it's 83th data center in Moscow. Now it seems that some Cloudflare protected sites are being served from Moscow (DME) for Finland (HEL) instead of Stockholm (ARN). DME is lot slower than ARN as well as it raises some privacy questions is someone is worried about the Russian Privacy Legalization and Big Brother Laws.
  • Checked Python 3.5.2 release notes. PEP 448 Liked unpacking generalizations, PEP 471 os.scandir(), nice. Yet another way to do it, but bit faster. Also the classic os.walk got a speed boost. PEP484 Type Hints is of course awesome. PEP 485, isclose is really nice. I've coded my own comparison routines at times just because == with floating points is almost guaranteed fail. There has to be some predefined tolerance to accept the value as being same. PEP 488 No more PYO files. Hmm. Sure. Doesn't affect daily operations, just looking for purity.
  • Studied some Hyperloop related technologies: Kantrowitz Limit - Gas flow simulations in tube - Air bearing skis - Maglev using passive plate - Maglev using active coils - Required cooling neeeds. - Vacuum Energy Cost - Stations - Airlocks - Passanger Loading facilities - G forces - Thermal Expansion
  • Something different: Hsiung Feng III - Explosively formed penetrator (EFP, SEFP, MEPF)

Email, Oscobo, UAAV, Telegram E2EE, NXP NFC, Bluetooth 5, EddyStone, FIDO U2F

posted Jul 4, 2016, 9:08 PM by Sami Lehtinen   [ updated Jul 4, 2016, 9:08 PM ]

  • After I switched email hosting I found out what I were expecting and suspecting earlier, but I hadn't had it confirmed. LinkedIn uses email batching, delivering emails in large batches to individual servers / domains. Now when I use different domain, I just get a ripple of the email. When I used my own domain and server, I got everything at once. Because it's just more efficient to deliver emails at once, instead of delivering those in multiple small batches.
  • It's also unsurprising that new email hosting is much slower than it used to be. I were used to everything happening immediately but now there's latencies related to everything. Previous server got under 1 ms latency and basically everything in RAM memory. Now data is being fetched over much slower link and of course it's not all in RAM. It's really easy to notice sluggishness on every turn when using the new service. With the old server worst case was that data wasn't in RAM and it had to be read from SSD SAN.
  • Oscobo replied to me linking a few articles. But none of those answer to the fundamental questions I'm asking. They haven't given out any information what information is being forwarded to 3rd parties like Microsoft Bing to fetch the actual results. It would be really nice to know. Afaik, this is pretty important question. It's easy to claim that things are secure in a way, that it looks good, but in reality we all know that it might still be very insecure, either by accident or incompetence or by intentional design.
  • Something different: Read multiple articles on The UAAV Digest. It seems that military drones are developing really fast, much faster (no surprise) than consumer ones. It's very interesting to see if (when) drones can practically replace hugely expensive air craft carriers. kw: TERN, VTOL, DARPA
  • Some people warn that Telegram isn't encrypted. Sure it's encrypted, but ... It's not End to End Encrypted (E2EE) unless Secret Mode is being used. Many of the Telegram clients don't even support E2EE encrypted Telegram Secret chat mode. Data is still delivered over encrypted connection, but it's not end2end encrypted. If you've got something truly confidential, who would use any "secure app" anyway? I'm sure the stake holders wouldn't love such actions and it would be blatant breach of confidentiality.
  • I guess the new Russian data collection law isn't that bad? At least they're openly admitting it. Other countries might do exactly the same, or worse. They're just not telling about it. Basically all communications need to be stored for six months in plaintext and if encrypted there needs to be a backdoor for deciphering the communications.
  • Ordered a set of programmable NXP NFC tags - just for fun, play and experiment. Let's see if I can figure any practical use for those. Maybe configuring visitor WLAN at office could be one use.
  • Checked out Bluetooth 5. 4x the range and 2x the bandwidth. Whats even better then Bluetooth Low Energy (Bluetooth LE or BLE) version with got 8x broadcasting capacity and connectionless services. Thats' very nice. But it doesn't increase power consumption. Well well, that's something extremely nice. It's easy to add range or capacity, but usually that means that systems will require more power. I've already got a few EddyStone Bluetooth beacons, which are working very nicely broadcasting a few URLs.
  • Also ordered a cheap Feitian ePass FIDO U2F Security Key and for comparison Yubico's YubiKey NEO. Just to have something to play with on my vacation. Even if I'm big fan of Strong password (shared secret) + HTOP / TOTP (as 2nd factor). I'm also wondering why some people don't get that Google Authenticator is not an independent technology. FIDO Fast IDentity Online - Universal Second Factor (U2F) - Let's see if installing pam-u2f will be fun. Terms like Passwordless UX (UAF) and Second Factor UX are used by some vendors. Device conveniently works as USB HID (Human interface device, aka keyboard).
  • So much fail. Physical Web App for Android got updated. Now it doesn't show EddyStone Bluetooth Beacons which it did show earlier. Yet all the other similar apps do work flawlessly. - Business as usual, we improve the software so much it becomes totally unusable. - Found out the reason later, they now only accept HTTPS sites.

HTTPS, Skype, IPv6, Sigfox, PWD Paste, APFS, USB Flash, Kerv, Kafka, LoadAverage

posted Jul 4, 2016, 8:59 PM by Sami Lehtinen   [ updated Jul 4, 2016, 9:00 PM ]

  • Progress Towards 100% HTTPS, June 2016 - Let's Encrypt - Free SSL/TLS Certificates - Very nice. It would be great to get all sites to use HTTP/2 with HTTPS of course aka H2.
  • More quality software. Skype on Linux is losing half of text being written and so on. So much quality software. Pure love. I wonder what's wrong with the keyboard input handler.
  • It seems that TP-LINK TD-W9980 V1 firmware TD-W9980_V1_160125 is still buggy. It keeps losing IPv6 configuration. Fixing it? I'll be happy to provide more details. World is just so full of quality software. Once again. Temporary workaround? One server in network checks if IPv6 is available, if it isn't. It connects the modem using script and re-enables it. Sure it works, but it's totally brain dead way of dealing with this issue. (I know, this isn't going to be first nor last workaround I had to implement for others crappy code, but that's just life.) I just need to make this stuff work.
  • Not enough bad software yet? Just found out that the web shop where I wanted to order some stuff didn't work properly and I couldn't pay the purchases. I've been wondering how much money they have to make, to be so rich they're ignoring paying customers and tell them to get lost. Keep your money, we've got so much we don't know what we would do with it anyway. - Thank you for rejecting me. - Yet, I found another supplier of course. They accepted my money.
  • Re-checked Sigfox integration API and Backend RESTful connectors with JSON to confirm that those are suitable for the project requirements. Also the messaging limits are pretty important 12 bytes and 140 msg/s day. Communication can be initiated only by the device, not by the network.
  • Configured a new 8 TB archive storage drive for backups / long term low demand data storage, used smartctl to run extended self-test, then run badblocks to run proper read write media tests and tune2fs to configure fcsk boot options, fstab to set writeback mode for ramdisk like write performance for small non fsynced writes. hdparm to set preferred power saving options.
  • Disabling paste on password fields - Nice post. Disabling paste will guarantee bad passwords.
  • A nice analysis about Apple's new Apple File System (APFS). kw: NAND flash-aware characteristics, blocks,pages, FTL, SSD, ECC, ZFS, metadata, checksumming, metadata and data consistency, HFS, HFS+.
  • I've been using NTFS on USB Flash Memory Sticks and external drivers for over 5 years when using Linux / Windows mixed use. No problems so far. This of course wouldn't mean it's problem free or 'rock solid', but in normal daily use I haven't encountered any. Why? Because meta data journaling. exFAT works as well, but it doesn't journal -> less reliable. - This is just an answer to people asking if NTFS works with Linux, it does.
  • Kerv is cool, some say. I guess there's rate limits. So there's single payment limit as well as daily payment limit + notification / automatic suspension, if something is "out of the ordinary". - Yet in technical terms, nothing new. I just can't stand this all "this is so bleep" with something new, which isn't technically anything new. Actually technically something really awesome and new happens extremely rarely. I guess Kerv is basically yet another implementation of the "NFC payment stickers" which one operator in Finland has been pushing out as mobile payments. You just need to glue that sticker on your phone. What kind of stupid marketing lies are those.
  • Rechecked Apache Kafka - messaging system. - No I don't see use for it right now. But might become handy with some project.
  • It seems that is finally back online.

1-10 of 392