Blog

Google+
My personal blog is about stuff I do, like and dislike. If you have any questions, feel free to contact. My views and opinions are naturally my own personal thoughts and do not represent my employer or any other organizations.

[ Full list of blog posts ]

libp2p, H2, Python, Workflow, NFC, Bluetooth, MobilePay, Distributed Locking, GNU Taler, Zerotier

posted by Sami Lehtinen   [ updated ]

  • Interestingly to some central European servers connectivity from Elisa is 10ms faster than it's when using Telia / Sonera Internet connection. Well, that's life.
  • Checked out libp2p - which is interesting development. Because it can offer different interfaces than the key value blob storage and retrieval. With OpenBazaar guys I said it often, relay mode is required. Libp2p does seem to implement it too. Because there can be any number of reasons why direct connections simply aren't possible. Also when talking about P2P tech, I really liked concept of using DHT. But in reality IPFS also uses DHT to route connections, which of course isn't surprising at all.
  • Checked and verified H2 & TLS on all on the sites I actually care about and which I'm hosting. Seemed to work perfect, now using Let's encrypt certificates. Reread also certbot documentation.
  • Read Google Python Styling Guide - Nothing new there. But it was a good read.
  • Enjoyed endless meetings about Workflows and processes in customer organization discussions. As usual, customers want that thing X works easily and automatically. But when you ask what the X actually means, they don't even know. - Business as usual, once again. - Actually, this is always as funny. Even if it would be internal matter, it's usually the same. People asking something to be done, don't know what should be done. This doesn't only apply to software, programming, custom built software, etc. This is totally generic question in all businesses when something needs to be done. Of course it helps, if you have a highly experienced and skilled team which you can trust. Then you can get lot done with extremely bad specifications, but in many cases it'll just leads to total disaster. Then they claim that the project failed. No, project didn't fail. Because it wasn't even specified properly what the success would look like. Another thing is that they say that they need feature Y. Ok? What the feature Y is used for. Nobody knows. Excellent, how you can then claim you need it?
  • I used Mobile NFC for very first time for actually something useful. What was that? I opened shopping malls website using NFC tag they had. I don't know if that's a great success, but it just shows that it technically worked. When tech works, then the actual applications are next step. Btw. I think Eddystone is better than NFC in this case. Because it provides better range than NFC.
  • Danske Bank's MobilePay also uses Bluetooth as addition to NFC. Usually the Bluetooth works much better and faster than the NFC option which requires exact positioning and waiting for a while. Played a bit with that system one day to figure out what the best way to 'connect' is. Also found out that on some mobile devices their QR code reading didn't work. Don't know why, was out of my scope, so I didn't bother to troubleshoot at all. But as end user, I would have been slightly disappointed. Especially if I would happen to have a device which allows QR code as only option, or maybe I just as user prefer it over RF options, because it's guaranteed to be "local". Yet it might not mean that there's anything wrong with the app. Maybe it was the platform that the app was running on which caused the problems and then there might not be anything they could do about it. - That's life. Sometimes things wont work and that's just the way it is.
  • A really nice article about pitfalls of distributed locking. I guess we've all had problems with transactions and locking. Things might work mostly well but then either fail or deadlock. Been there done that, but here's a few good points to remember.
  • GNU Taler 0.0.0 released - Nice. I've been checking out this project and it's great that they're making progress.
  • Studied Zerotier. The old concept, "trivial secure global networking". There are pros and cons with this approach, but I can see it being beneficial for many users because it reduces requirements for network configuration and makes connectivity trivial even with applications which do not provide 'easy' networking.

Sigfox, IoT, uWSGI, Bottle.py, Startup CEO notes, OpenBazaar DHT, Web Reputation, Freenet

posted by Sami Lehtinen   [ updated ]

  • Studied more SIGFOX, pricing, technology, etc. It seems really nice for certain purposes which require very little data, but 'constant connectivity'. As well as messaging is usually triggered from the device. This is something hat IoT needs and will have really many uses in future. The service is now being offered also in and that's nice. I'll need to buy a test device at some point. Yet the tech seems really straight forward and in integration terms is nothing new. It's just like services over SMS. Gotta see if I can figure a business case for this, so I can get the business version.
  • Still enjoyed enraging moments with uWSGI and Bottle.py cookies are just so broken. Darn. Sigh. Even more annoying is that it's semi abandoned project, so I would prefer it just to work, and not deeply trouble shoot stuff which doesn't really matter. Just so so so deeply annoying. Can't stop loving tech. Updating bottle to newer version will fix the cookie issue, but will break tons of other things. Which is also very undesirable for project which isn't actively maintained. Everything should be modified and verified and ... Sure, it's doable. But is it worth of it? Just like some say that old apps can't work with IPv6. They're just really sucky engineers and programmers if they claim that. Sure it's doable. It just might require modifying everything starting from the operating system and it's networking stack. ;)
  • Anyway, writing a fully threaded message board for Mobile Users with Geo Localization, Machine Learning, Private Messaging, extensive Tagging System and other neat stuff was interesting journey. Learning new things isn't so much wasted resources after all. Now I'll continue implementing more advanced algorithms for one another project, which hasn't been announced publicly yet. Mobile GPS location, GeoLocation based on IP etc. Calulating distances between locations and optimizing database queries and so on. Experimenting with Unicode glyphs and URLs etc.
  • Read: Edward Snowden at IETF 93
  • Some stuff from my Kindle notes:
    • Shortened and underlined quotes for: Top 5 priorities for a startup CEO
    • focus on growth levers (sales/customers/users).
    • focus on product/UX.
    • product roadmap is aligned to market needs.
    • Motivate, support, and grow your team.
    • Strong communication is the basis of any good relationship.
    • Give employees a platform to communicate publicly and privately.
    • The role of a CEO is to be able to steer and balance a company with limited resources on a path toward profitability, financing, and/or an exit.
    • What most people don’t realize is that the early success of startups is almost always about tactics rather than strategy.
    • Talk to customers. But even more importantly listen to what they want.
    • Stay calm and remain positive at all times, even when you’re not calm deep down.
  • OpenBazaar DHT documentation:
    • As per usual, nodes hosting the key/value pair periodically check in with each other to update the value -- so they all have the most recent version.
    • SANITIZE(X)
    • Node B updates against node A in the same manner. In fact, all nodes in the neighborhood of KEY update against each other in this way.
  • Web Reputation documentation:
    • “Item as described,” “Communications,” “Shipping time,” and “Shipping and handling charges.”
    • Reputation systems create real-world value.
    • Don’t cross the streams. Good digital reputations should always be context limited — the nature of the inputs should constrain the use of the reputation scores that are output.
    • Leaderboards. Whuffie Bank.
  • Read article:  OpenBazaar Needs Freenet - Highlights: ademanAnonymity, Bitcoin, Darknet, Freenet, Liberty, markets, OpenBazaar, Privacy7
    • Quote: "While I was overall encouraged, I was a bit disappointed to see IPFS favored over a project I’ve recently become passionate about: Freenet." - I don't have anything against IPFS except it's new tech and not proven as well there are many unanswered questions, but usually answers to those will turn up with time. Either it's bad or good, but who knows at this point. Future will show.

QRcode, Privacy Shield, Crypto, Python3, RTC, Zeronet, SSH, BigData, GoingDark, CyberCrime, IPv6

posted Jun 27, 2016, 10:18 PM by Sami Lehtinen   [ updated Jun 27, 2016, 10:19 PM ]

  • Had a long silly discussion about 'Encrypted QR codes'. Well QR codes are just data. It's up to you what kind of data you're storing, and how it's being obfuscated, encrypted, signed and verified, etc.
  • Checked out EU-US Privacy Shield at general level.
  • Excellent article Breaking homegrown crypto - Yes, that's why you shouldn't build your own, even if it sounds like really good idea at times. Eh. - Yet once again, as long as the encrypted payload is short enough compared to the random key, so it remains nearly OTP, it doesn't matter. But that illusion breaks very quickly when key entropy or length is being reduced.
  • Still got blog backlog for almost two years. Maybe I'll need to make a mega dump post during summer or some vacation when I got time for that. (I'm actually doing that right now)
  • Cinia finally announced that 144 Tbit/s fiber is now commercially available between Helsinki and Frankfurt.
  • Even Microsoft says Python 3 rocks.
  • Linux prefers UTC RTC and Windows prefers Local Time. Yet I prefer always UTC, because it's so easy to miserably fail doing stuff when you don't realize some logs use different time zone or something like that. UTC only please and Unix timestamps (Unix time, POSIX time, Epoch time).
  • Quickly checked out zeronet.io. It's an interesting concept, but no time to dig deeper. Shortly: Anonymous, Offline, Peer-to-Peer, Simple. Own domains, No hosting, No passwords, Dynamic Content. Sounds like a paranoid hacker nerd dream. Quite Sweet? Of course utilizing popular: Bitcoin cryptography and BitTorrent network.
  • Nice article SSH Best practices. Yep, nothing new there. But very good read if you don't feel like knowing it all already.
  • Dark Side of Big Data. - An excellent article. These are good questions. Is big data liability or asset? What if data leaks and/or is being abused, etc.
  • Excellent related reading: Going dark: online privacy and anonymity for normal people.
  • Looking for a data center place in Finland? Here's a site and maps for you.
  • Online Cyber Crime Preventation and awareness by Europol. Nothing new there either, but if you're not familiar with the topic, just go and check it out. Maybe you'll learn something useful.
  • Reported Bottle.py web framework issue when setting cookies with redirect (303) response with uWSGI. Report here. Yet this problem doesn't arise when using Bottle.py's internal dev web server. Therefore I don't know if the root cause is on uWSGI's or Bottle.py's side. Unfortunately I weren't interested enough to debug that. I think it worked with older uWSGI & Bottle.py but when I upgraded both something went awry.
  • Helped a friend who had serious IPv6 issues. Ha, he had the same MLD issue I were running earlier into. When using neighborhood discovery everything worked, but when router updated it's MAC / IP mapping tables using MLD it failed and router started to tell that there's no route. Yet it seems that ICMP things like ping can still trigger neighborhood discovery and after that TCP / UDP starts to work again. All this can be fixed using either of two methods. First, change router to use neighborhood discovery instead of MLD and or allow MLD on all clients so those respond to requests properly.

G.fast, HTTP/2, GLUE, WiFi, DFS, DTPC, FMS, RPA

posted Jun 27, 2016, 10:08 PM by Sami Lehtinen   [ updated Jun 27, 2016, 10:19 PM ]

  • Checked out G.fast. Basic stuff: FEC, Reed-Solomon, Trellis Coding, Impulse Noise Protection (INP), Time-Disivion Duplexing (TDD) and Fast Rate Adaption (FRA). Plus naturally some crosstalk problems. Far end crosstalk cancellation. (Self-FEXT, aka g.vector / vectoring)
  • Just so much fun migrating servers and database servers from platform to another, enjoying ultra slow migrations which might still eventually fail. - Business as usual. - Even if not particularly rewarding, until the miracle happens and stuff works.
  • Ubuntu 16.04 Python 3 finally. Golang included, neat. Really don't care about Compiz. LXD, Docker, neat. Yet Golang isn't installed by default, but Python3 is. No need for ZFS, maybe LVM.
  • Apache HTTP/2 support via mod_http2. It would work better than the experimental SPDY module I used earlier which caused seg faults.
  • Uh oh. fglrx deprecated, let's see if I ever get my display adapter to work. I gave up on it about 1.5 years ago, when Kernel updates did break official driver totally and suddenly. Afaik there hasn't been fix for this since. Maybe I'll try after I'll upgrade the primary system to 16.04. I spent several days trouble shooting that stuff and nope, it just won't work, and that's it. Learned a lot more about drivers & X than I wanted to. Some people whine about driver performance. I really don't care about the performance. If it would work at all, it would be much better than whine tuning and whining about some dismal performance tweaks. But that's the usual way, let's improve the performance for 0.5% and break the crap for 50% of users so it won't work at all. Is that a win or fail? Nor I care about CUDA or OpenCL, basic frame buffer would do. But nope, that's too complex for engineers. Well, after 16.04 update I'll try for about 4 hours, then I'll say that nope, it's Nvidia, it's bleep, and won't touch that stuff anymore.
  • I've been thinking about buying a proper display adapter and that naturally doesn't include brands like Nvidia. Been thinking quad quad high definition upgrade. Using four 2560x1440 displays.
  • Makes you laugh when some people work on their laptops. Any laptop can't replace a proper computer battle station.
  • Checked out Generic Layer for Unified Ecommerce (GLUE). It allows web retailers to directly integrate logistics and stock with delivery service providers. Items can be delivered from closes stock as well as be prestored near customers, before orders happen. Yeah, nothing new. Afaik Amazon has been doing something like this for quite a while.
  • Just wondering if anyone has seen 5GHz DFS (radar avoidance) being triggered in Finland when using WLAN / WiFi? If so it would be nice to know about that. I've asked quite a few WiFi network operators and nobody has seen it ever happening. But I assume it of course could happen at any time. Currently using large 5GHz network on channel 140. Curious if that has been happening around regions where there are military areas, airfields or ports? (Hamina, Isosaari, Turku, Hanko, Uusikaupunki, Rauma). Some of the radars are so powerful that you can hear those beams sweeping even on traditional FM radio. Yet I have no knowledge about the frequency ranges actually being used.
  • Exposed node and hidden node problems. Nothing new, that wireless network stuff just reminded me about that. Dynamic transmit-power control (DTPC)
  • Some integrations to one major Financial Management System (FMS) environment. Random integrations are popping up from everywhere. But that's today. Wondering if Robotic Process Automation (RPA) can replace some of these integrations in future. Yet simple integrations can be easily done in a few hours. As long as everyone knows what they're doing. And that's not the case always. As we all know.
  • Something different: MiG-29K

Ciphers, WAL bugs, Posteo, IPv4 / IPv6, LPWAN, Sigfox, bt.tn, COGS

posted Jun 26, 2016, 10:42 PM by Sami Lehtinen   [ updated Jun 26, 2016, 10:46 PM ]

  • Reminded myself about CBC+ESSIV & CTR & XEX & XTS as well as CMC and EME, as well as speed differences created by CPUs support for AES-NI which makes AES much faster option than other ciphers.
  • Time4VPS servers seem to be awesome. I mean really nice bang for buck for personal use.
  • Had a good weekend, fixed plenty of software bugs in one project. I guess total number of issues fixed was more like 52 or something. Mostly those were pretty simple issues causing uncaught exceptions, which when combined with those certain database transaction scope issues caused major headache. Write ahead logs were growing into gigabytes pretty quickly and that's bad. - Growing WAL logs is also great RAM sucker, because it needs to be checked every time when database is being accessed. When you're getting to the point where WAL is larger than the RAM of the server, you'll start having really bad time at least in performance terms.
  • Read book: Cyber War in Perspective: Russian Aggression against Ukraine - I'll provide quick thoughts and comments later.
  • Wrote internal documentation describing Apache Guacamole Pros and Cons as well as describing it's technology stack, configuration options and possibilities for automated system integration.
  • Carefully studied Posteo.de features, FAQ & privacy documentation.
  • When will the IPv4 get thrown out? And people really prefer IPv6 Only? When all systems aren't configured with IPv4 to begin with, there will be problems. There's nothing wrong with Netware, IPX or serial cables. But it's surprising how many people are clueless about the fact that you need to manually configure both ends to use same settings when using a serial cable. Similarly horrible things like NAT will be most confusing and enraging legacy tech to be found. These nasty things (NAT, private IP ranges, etc) get people confused all the time even today. Simply because most of people don't any more have any idea how it works, they just see that things are broken. There are also SysAdmins out there who don't simply get shell at all, because they've always used GUI. (Ouch!)
  • LoadAverage.org (no link, it's down) has been down now for quite a while. Sure, that's the problem with sites with single administrator. Things might work great for years. But if brown stuff hits the fan, especially at wrong moment. It might take a while before things are back. Especially if it's extremely sticky brown stuff and it's something which really requires work and not just, oh well, I'll need to reboot it or make a minor disk cleanup or something like that.
  • Checked out Low-Power Wide-Area Network (LPWAN) networking services for wireless telecommunication. In Finland there are two technologies being used LoRaWAN by LoRa Alliance and Sigfox by SIGFOX. Wide-band who needs that these technologies bring you ultra-narrow band (UNB) technology.
  • Studied bt.tn and it's API in detail. Basic stuff Web hooks and REST API. It's just as everyone else is doing it, with very simple (obviously) interfaces. Only complication there's is the option to use asynchronous mode, but even that is a peace of cake.
  • Google I/O 2016: "Performance is art of avoiding work". - That's sounds great. I'm pretty sure Dilbert is one of top performing employees.
  • Read a long post about Deep Learning and it's inherent problems.
  • Enjoyed explaining obvious things like COGS to a customer.
  • Something different: HAL Tejas

General Data Protection Regulation (GDPR) - Thoughts

posted Jun 26, 2016, 10:31 PM by Sami Lehtinen   [ updated Jun 26, 2016, 10:34 PM ]

  • Read about General Data Protection Regulation (GDPR) @ Wikipedia or GDPR @ EU Justice portal
  • Privacy by design. That's a nice dream. Truth is that privacy regulations aren't usually followed and so what? Because stuff doesn't end up in court, it means that it's enough, even if it might not be legal.
  • Risk assessment - It's funny that so many security requirements refer to risk assessment. Yet, the risk assessment can be done so differently for the same case, depending from the original viewpoint. So it's totally negotiable and subjective. Others might think that no security whatsoever is required, and some other might think that this is totally critical and requires extreme paranoid tinfoil hat security. Like, half our system administration staff are foreign agents and so on. ;)
  • Data breaches - Sure. I've asked this earlier. Is the problem the data breach, or knowledge about it? As we've seen in news and ... It's common that the messenger is being shot. It was in news that FBI raided security researcher reporting security flaws. Nothing new. So if you find serious security breach, if it's on your responsibility, just fix it quietly and hope that nobody outside the responsibility chain finds out. If there are audit logs which will show that the vulnerability was being accessed, it might not be a good idea to look at those logs? Why? If you don't take a look, you can just say. Well well, there was a minor bug / configuration issue, we've fixed it. If you take a look at logs and therefore know that it was being exploited. Ouch, it's worse than not taking a look. I know this is totally horrible, but this is just the way things seem to often be. Same applies to many major accidents, there might have been long discussions about the risk related. But no action was taken. When the bad thing happens, it would have been actually better if it would have been something that was totally unpredictable and random. Instead of, yeah sure, We've known about that stuff for years. But we really didn't care. So, not reporting is safer than reporting. Isn't this anyway what all the big organizations are doing. Then they can blame singe individual about organizational fail. If things go well, then collective failure wasn't actually anyones fault. This has been seen over and over in root cause analysis of serious accidents. - This has nothing to got with computers or security, it's global and applies to any industry and military operations and so on.
  • Right to erasure is a nice thing. bBut again, it's something that might be hard to implement in some cases and cause problems for systems not designed to handle cases like that.
  • Data portability requirement will cause a lot of gray hairs for lot of tech stuff and management, for sure. It's really really nice fantasy, but can cause major havoc, because systems just aren't compatible and then there are more or less buggy and bad import / export features etc. - Sounds wonderful and really horrible at the very same time. - It's just like integrating totally different systems together as usual. Nice idea, but might require lot of work and still backfire with really bad results and 'random' malfunctions. Causing years of bad reliability. Stuff which isn't being automated, is broken over and over again by someone changing something manually and ... All the usual stuff. There might be some hidden dependencies, if the feature isn't being a lot, it could get totally broken by future updates ... - It's nice question how "a cloud provider" is being defined.
  • Conflicting requirements with EU-US Privacy Shield are also pretty interesting ones. But I'm sure someone will figure those out at some point.
  • It's also a huge burden for free services that these rules apply to non-commercial operations. Time will tell how bad this actually is.
  • Finally, intentions are good. Those are wonderful requirements. I wish everyone would actually follow the regulation. But the reality might actually turn out to be different. - Might? I'm pretty sure it does. - Legalization hasn't fixed (much more serious) issues in the world before and it doesn't do it now either.

HFDE & SED, BitLocker, C-Lion1, DDG, ORM, Internet, RFoG, Docker

posted Jun 25, 2016, 9:37 PM by Sami Lehtinen   [ updated Jun 25, 2016, 9:38 PM ]

  • Reminded my self about Hardware FDE and ViaSat Eclypt drives. Opal Security Subsystem Class and Trusted Computing Group (TCG). Also read: Bypassing Self - Encrypting Drives (SED) in Enterprise Environments [pdf] - Those methods were kind of obvious and silly. Sure if the drive is unlocked when attacker gains physical access, that's bad.
  • After discussing a few details with friends, we concluded that correctly made backdoor doesn't actually reduce security by any meaningful way for normal lawful use. Yet it allows media access for authorities if legally required to do so. So is it so bad, or is it something most of people would actually agree to?
  • Once again it's time to remind when people say it's using AES256 and it means that it's absolutely secure. Yes, bit did you also figure out that you'll need 32 bytes (256 bits) of entropy, meaning that the password needs to be about 43 characters long random string with special characters. As well as there are many other fails than the cipher alone.
  • Read about Elephant Diffuser being which was removed from Windows 2012 / 10 BitLocker.
  • Found out that one version of GNU social got totally broken private messaging. Yes, it was running on live production servers. Funny. But that's life. So if you sent a private message, it was still completely public.
  • Added a few monitoring points and scripts with alerts to inform me as soon as the Telia, TeliaSonera, Sonera, starts to route using C-Lion1 from hls to ffm. Data is also logged. Of course I've got lot more data points, but this is one which has been configured to create immediate personal alerts, so I can check other data points with other operators. Expectation is to see latencies to be reduced by about 10 - 15 ms. Actually I think that switch will happen before this blog post is actually out. But that's life. Backlog is quite long.
  • Some of DuckDuckGo stuff is now loaded directly from yahoo.net and not from duckduckgo.com. Hmm, interesting development. I wonder when they add Google Analytics and claim that they don't track you. The pro tip is that they're not doing it, it's Google that's doing it. Classic ways to mislead people. We're not, but ha ha, we're during actually exactly what you feared, but we just avoided answering that question because you asked in a wrong way.
  • Got question about Peewee ORM Transactions with SQLite3. Why does it matter if try and except are inside with transaction or outside it? Or maybe I've just missed documentation about that being strict. Had serious problems with ever growing WAL file because selects were left at times open after exception occurred. I'm using auto commit and with transaction. So I would assume it would mean that the select and query statement would be closed and finalized always automatically. So what if there's uncaught exception. But that doesn't seem to be the case. so even if you're doing with transaction select a ton of stuff and then processing data using cursor if there's an exception that boots the execution out from that with transaction scope block the cursor doesn't get closed. Ouch. Once again a good example where expecting something to happen, doesn't actually matter at all, because your expectations are just wrong. Been there, failed that. Fixed.
  • How the Internet works: Submarine fiber - Awesome article. Loved it, yet. I'm pretty sure it didn't provide any new information, but it's great generic overview for people whom might not be familiar with all this stuff.
  • Learned something new I didn't know earlier RFoG.
  • Should data be put in docker containers or outside? When I did those docker tests I did place data inside container, but afaik that's not a great plan. On the other hand, one of the goals of the project was to minimize time required to configure such a system and that's the reason why I didn't go for it. Probably could have done that pretty quickly, but it's still one more extra step to take. Simple, default, is good. Anything which adds complexity is bad, especially in this kind of scenario where aim isn't to do things right, but do things quickly so that stuff just works. Which naturally can back fire later and isn't great plan for production environments, but for experimental test projects, it's the way I like to do things.

Apache Guacamole, MC, SQLite3, Peewee, OpenBazaar, IPv6, SSD, ext4

posted Jun 25, 2016, 9:28 PM by Sami Lehtinen   [ updated Jun 25, 2016, 9:28 PM ]

  • Sigh, why does Midnight Commander (mc) require libssh2-1 and unzip, I love mc. But I don't what I would do actually with those two outdated libs.
  • Quickly played with Apache Guacamole. It's great, I've been actually looking for something like that. Maybe I'll give it a real spin soon. Something more than just 15 minutes in a VM.
  • Decided to finally kill lclbd.com in favor of other hobby projects. There's only limited amount of time to get things done.
  • When I said that I'll close down LclBd because lack of suitable server, a friend of mine said he'll provide a free server. So it took only 10 minutes to setup the site back up'n'running. Yet, I've blocked new user registrations. Service will be shutdown when domain expiration should be done next time.
  • Database Locked with SQLite3? Just sleep a while and retry write. Unless you're having some locking issues or something silly like long running write transactions open. Yes, that's a guaranteed fail. Even more methods to Fingerprint Web Browser users, newest technology is called Acoustic Fingerprint, here's a working demo called Audio Fingerprint. Yet technically using return of some generated signal for fingerprinting isn't anything new, of course. It's decades old technology.Todays advanced signal processing capabilities make it just much more powerful.
  • After upgrading to latest version of Peewee I've been getting InterfaceError messages about parameter binding, which I haven't ever seen before. Maybe I'm doing something wrong, maybe not? Also those exceptions seem to easily leave cursor open and prevent prover WAL file processing with SQLite3 . Any pro tips, anyone? "peewee.InterfaceError: Error binding parameter 0 - probably unsupported type." Haven't yet had time to properly debug that, just wondering at this moment. But I'll figure it out soon enough hopefully.
  • Blog post: OpenBazaar Needs Freenet. Well, I've liked Freenet too. But signed key value storage isn't good for everything. If everything is built on top of it, it might end up being a really terrible technical kludge. Even if that might work locally, on distributed network it's lot slower. I'm also bit skeptical about IPFS, but to be honest. I haven't tried it. It's marketing hype was just so full of vapor that it did really badly annoy me. Keywords: Anonymity, Bitcoin, Darknet, Freenet, Liberty, markets, OpenBazaar, Privacy.
  • Configured Apache Guacamole for testing environment using Ubuntu, Docker, PostgreSQL (Postgres), guacd and guacamole itself. Guacamole provides clientless remote desktop access. There's just one really strange thing, don't really get what takes so long when starting the guacamole container. Tomcat starts and fails.... But after a long delay, something like 15 minutes, it starts to work. I've checked that the database is guaranteed to be available and correctly configured. I hope this gets fixed in coming releases. If required, I can provide additional information.
  • Large IPv6 UDP packets [pdf]. Packet fragmentation is a big problem. Been there done that, with some apps I sent large UDP packets and some fragments were always missing, it it worked well for LAN.
  • Configured all systems to use units in gigabytes to reduce confusion and improve readability.
  • Do SSD drives lose data when stored extensively unpowered? Some say yes, some say no. - I guess it's not that simple. It's just like they said that CDs retain data foor 100+ years, but truth is that I've thrown out all of my RW disks except a few ones, because those have anyway lost the data. Or it has become unreadable, which is actually the same thing. So is the data retention 3 years or 200 years? Probably somewhere between depending on multiple factors. - I love when people give simple answers to complex questions. Because these are questions where there is no simple answer. Only time will tell. For real results you should do long term large scale extensive testing with scientific data collection.- That's the only way to get results, and even if that is done. Someone will argue about the placement of drives and what kind of background radiation those were exposed to and so on. - Only time will tell. Meanwhile, keep multipel copies and refresh those and check data integrity.
  • It's like the discussion where people claimed that ext2 is better for flash drives than ext4, because it doesn't do journaling. Well well. Who says you couldn't use ext4 without journal too? It's so easy about being wrong about almost anything. Many programs and platforms can be configured in millions of ways, there are multiple vendors, there are different environments and to sum it up, stuff like ext4 is open source, so you can change the source, recompile it and use it with your own parameters. Dropping something like journaling shouldn't be too big job, because it's likely to be very concentrated in code & libs. Breaking it on purpose isn't hard task, even if there wouldn't be pre-existing parameter for it.
  • Found out why Guacamole / Tomcat start was so ridiculously slow. Here's the reason: 26-May-2016 08:44:05.084 INFO [localhost-startStop-1] org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [1,329,626] milliseconds. Actually that's not a big problem, server is restarted very rarely. But it's still very annoying if users happen to wait for that to happen. Classic engineering. All users thought that that doesn't make any sense whatsoever.

MD5 and SHA1 password collision example attack vectors

posted Jun 15, 2016, 6:27 AM by Sami Lehtinen   [ updated Jun 16, 2016, 7:44 AM ]

Password limits: max 32 chars, every character in ASCII range 0x20 - 0x7E
People claim that MD5 and SHA1 collisions are trivial and salting doesn't help. So if it's that trivial, please provide me collisions. Because I didn't find any samples by Googling.

passwordmd5
5f4dcc3b5aa765d61d8327deb882cf99
%$H4LTeD~password%$H4LTeD~md535589ab72ed54bdad5453d7c712afed3
passwordsha15baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
%$H4LTeD~password%$H4LTeD~sha1
7ab0bc1a15f6f466066bb445d8524a48a5563a59

If it's that trivial as it's being said, someone smarter than me, could use that 15 minutes to provide colliding strings for all of the hashes mentioned.
I don't just personally believe it's that easy. But I might be totally wrong.
I've seen a lot of discussion, but not a single practical example anywhere.
If password is too hard, almost any English language word being 8 characters long with colliding string is a perfect start.

As example, here are some collisions using crc32. All of these words produce same end result 35c246d5.
pasword = afapaheh, avrehnqx, bgdqkibq, bkxwghlw, bwwdbova, cpmlklsb, degegezf, dfirwsly, dutpncnv, dzfartvo, enakbgqc, fodjhfvz, fskymall, gkpuqsef, gtqqdbio, gxmwhcgi, henzclfp, iazezyul, ibtrjocs, inhtfnmu.

Keywords: #password #collision #example #attack #vectors for #sha1 and #md5 #hash #challenge #hacking #cracking

TOTP, OTP, OATH, LXC, LXD, Ubuntu, Telegram, HD reliability, uWSGI, HL7 / FHIR

posted Jun 11, 2016, 11:41 PM by Sami Lehtinen   [ updated Jun 11, 2016, 11:48 PM ]

  • Once again used TOTP for one project, it's great, it's dead simple to implement. Very nice addition to password, allows quick banning of IP after a few invalid attempts. Lovely. Of course it's completely free, and doesn't require any third party services to be trusted. Almost perfection in that sense.
  • Added OATH (TOTP) additional OTP authentication to two different projects. (SSH & web login), it was a breeze and wonderfully trivial to get done. The login process was designed so that the login token and OATH token is given simultaneously. Which means that if either of the tokens is invalid, the login fails. This means that OATH adds even (a bit) extra security to the 128 bit login token. For APIs I don't prefer OATH, I prefer usually signed messages with timestamp or counter or both. But in this case and for end users this is great. Yes, the SSH also uses of course the key + password + oath. So it's triple secure login for a security demanding customer.
  • Re-installed all of my virtual machines. With latest Ubuntu. Played a lot with uWSGI, Python 3.5.1 and LXC & LXD. Haven't yet decided if I'm going to use LXC / LXD for one project or not. Probably not (due to the fact that the system got only single public IP) and it's not so powerful. If it would have multiple IPs and or it would be more powerful then I could share it for several projects using LXC.
  • Finally service provided did start to provide clean 16.04 setup, so it came just when I thought I'll order 15.04 and do distribution upgrade. This is great. Made a long document about every configuration parameter which needs to be configured so the system will run smoothly. Yay. Ton of stuff to do, but it's all fun. And actually tried and tested on local test server(s) before actual production setup so that shouldn't be hard. It's just interesting and fun, I guess.
  • Added an option to deliver low priority notices over Telegram Bot API as 'silent alarm', because the selected alarm tone for Telegram alerts is horribly blaring air raid siren so I would notice it for sure.
  • More excellent Hard drive reliability statistics from Backblaze.
  • Refreshed my memory about uWSGI options and made notes about options which are actually needed. The list is still ahem, awesome!
  • Made some HL7 / FHIR stuff. Unfortunately no more details available. (HTTPS / RESTful / JSON) + User Interface design.
  • Checked out one more cheap European server provider. Aruba Cloud - Nice. I might move my small low priority personal stuff to one 1€ / mo server. It's much sweeter deal than paying for more to someone to host your email.
  • Ubuntu 14.04 -> 16.04 upgrade not yet available. I've got one more system to upgrade, which was using 14.04 earlier. I thought I would do it today, but nope. Update not yet available. Well, I'll keep checking monthly when it will happen. I'm secretly hoping it would solve my display adapter problems, but I'm not too optimistic.
  • Moar Emojis, sigh. Unicode9.
  • Multiple discussions with friends about routing, server locations, server types, storage, ram, cpu, application optimization, back end & front end design etc.
  • Sigh, wget as attack vector? Yeah, why not? It seems that Unicode urls happily crash wget with Segmentation fault (core dumped). - Yay! No unicode urs for wget it seems to be.

1-10 of 373