My personal blog about stuff I do, like and I'am interested in. If you have any questions, feel free to mail me!
[ Full list of blog posts ]

Project management failures and hopeless customers

posted by Sami Lehtinen   [ updated ]

Project management failures and hopeless customers. This is way too common. Finished reading project manager magazine which went through these matters once again. Nothing has changed, customers wants something, today, for free and then it should be something very great, but I'm not sure yet what it should be. - All so familiar story over and over again. Then starts complaining why it's taking so long, and why it isn't ready (what we haven't even ordered) and haven't received offer about, because we don't know what it should be.

But sometimes, there are smart and competent customers out there, and it's just great to work with them. Without always falling back to that totally hopeless discussion pattern described in first paragraph.

One customer thought that if they buy automatic stock management software, it would solve their stock issues. Because nobody knew what they have in stock and what they need. Well, if they don't feed required information into the system, it won't help. Worst customers are those, which are so totally and absolutely clueless about their business, that they don't even have faintest idea what they really need, and what fulfilling the need requires.

In Finnish media there was an article about very small software company, which thought they would need extensive project and resource management system, because without it it's impossible to manage projects and resources. Well well, it was it. All the capital they had, they spent on their ERP product, and they didn't ship anything else out at all. Is this correct focus of resources? - Of course it isn't.

Related links, I've read:
Solving my problem, by looking at similar generic problems and looking for generic solutions for generic problems. And not by re-inveting wheel and building a new solution to my problem. Just like taking a look of already existing computing algorithms, instead of drafting your own. Probably the already existing solutions are much more advanced, faster and better.

BitTorrent Bleep, my analysis

posted by Sami Lehtinen   [ updated ]

BitTorrent Bleep
BitTorrent Bleep Tech

First of all, they start by lying: "Bleep offers the freedom to communicate without the risk of metadata being exposed." Yet they say it's using direct connection? - Massive fail.

First you should define, what metadata is and then tell where it doesn't leak it to. Ok, it doesn't leak it to "central server", but it does leak it to anyone monitoring the Internet connection.

AFAIK: if you form direct connetion between Alice and Bob, you're leaking metadata and clearly revealing connection as well as communication times, amount of communicated, called communication pattern. If that's not metadata leak, I don't know what is. RetroShare has provided similar kind and even bit better features earlier. But with same limitations, it doesn't hide communication patterns and doesn't stop metadata leak.

Depending how the contact lookup DHT based lookup & locate system is designed, it might also leak and reveal contacts you're looking for indirectly.

"Journalists communicating with sources without exposing their identity or their content." - They're lying again. If you have direct connection between A & B, you're for sure leaking the information.

"Businesses keeping communications confidential, safe from leaks, and safe from industrial espionage". Define confidential and leak? Is it leak that Corp A is communicating actively with B? I would say it's a leak. So they're lying again.

Actually this was easy analysis to do, because I've been planning similar system for a long time. I just haven't had time to do it. This is because I didn't really like Bitmessage design. I would have replaced flood replicated message repository with DHT implementation. But then there's again question, how to stop the metadata leak. The best solution I can come up with is constant pseudo random communication pattern with DHT network. If done correctly using this method system can completely hide if you're communicating at all and with whom you're communicating, when and how much. That would be the perfect solution. With a few changes, system could be bit less secure, but more practical. In that case something similar to Tor Onion routing could be used. Or simply publishing to many DHT nodes using pseudo random pattern and the message recipient would then fetch the message using pseudo random pattern. But as far as I know, these methods will make the network susceptible to long term statistical traffic analysis.

Yet, as we remember, Tor doesn't try to protect you against that either.

Btw. RetroShare has offered similar networking features for a loooong time. It doesn't currently provide voice / video calls, but technically it's network is very similar. As well as it allows relaying messages (technical term) to untrusted peers via trust network. But as said, it doesn't even try to hide connection between A & B. Does it matter? I don't know. Is it bad if I call Osama Bin Ladens mom weekly and ask foor traditional food recipes? Doesn't initially might sound so bad after all, but I'm quite sure it would make me a suspect in the intelligence domain.

More reading? Signals intelligence & Traffic analysis.

Finished reading: Starting a new business in Estonia, a guide for starting entrepreneurs

posted by Sami Lehtinen   [ updated ]


Links in English:
Linkit aiheeseen suomeksi (in Finnish):
KW: Eesti, Eestiin, Viro, Viroon, Virosta, Virossa, Estonian, EU, European Union, Euroopan Unioni, yrittäjä, yrittäjäksi, yrityksen, yrittäjyys, opas, entrepreneurship, baltic countries, start up, yhtiömuodot, verotus, Enterprise Estonia, Kred-Ex

ISDN modem configuration, hayes commands, modems, and engineering failure, BBS times

posted by Sami Lehtinen   [ updated ]

Really old stuff, but just for fun.

I remember this very clearly. Several engineers used several weeks to trouble shoot why ISDN modem wasn't working.

They did reset the modem, and try Internet connection, working.
They did reset the modem, and try credit card authorization connection, working.
But when you did those in serial a modem stopped to respond.

What they didn't get, was that the modem mode needed to be correctly configure simply using one hayes command to change the mode. Instead of that they tried everything, installing multiple modem drivers in parallel, configuring those using the modem drivers user interface. As well as in some cases installing two parallel ISDN modems to computer, because 'one didn't do it and didn't work'.

After changing that just one parameter in configuration file, everything worked just fine. You could use it for Internet connections, banking traffic and for other uses too like credit card authentication calls. No need to install several parallel modems, one for each use.

What did they miss?

One command changed the modem response mode (V0 vs V1). Which changes what kind of return strings (number codes or english messages texts) the modem returns after each command. If the software wasn't able to handle both or mode was incorrect, of course that modem appeared to be dead to other apps trying to use it.

Sometimes I'm really baffled how incapable people are solving problems, because they don't want to dig into the problem. Instead they try over and over other simple silly workarounds which won't work. Same applies to restarting programs when those fail. No, restarting won't ever fix a real problem. Instead you should look for the real reason why program isn't working as expected.

Another fun BBS related story

I changed my modems escape command from +++ to ''' after that I was able to issue +++ command, which of course was echoed by the other end to their modem. Using this echo trick allowed me to issue configuration commands for their modem. With some BBS systems it was possible to logoff and logon again, without acutally disconnecting and now gaining new full session with fresh connection time limit. Using this trick you could also potentially create a Denial of Service by reconfiguring modem so that it doesn't answer calls or give indication of incoming all so that the system would detect it and answer to call. - Those were good times.

Wikipedia: Hayes command set

Of course everyone should have tried every command as well as vendor specific commands and experiment how those affect things.

Peewee: Joining two tables without subquery. Is it possible?

posted Jul 15, 2014, 8:58 AM by Sami Lehtinen   [ updated Jul 16, 2014, 9:00 AM ]

I just got a very simple question, how to rewrite this statement, so that it is using only join, without separate subquery. Should be easy? But I'm not enough experienced with peewee, so that I could get it done trivially. I've tried multiple times, and I just doesn't seem to figure out how it should be done. That's why I want to know if it's possible at all. Should be?

read = Status_t.thread ).where( Status_t.usr == current_user )
query = Thread_t, Status_t )
      .order_by( Thread_t.time.desc() )
      .join( Status_t, JOIN_LEFT_OUTER )
      .where( ( Status_t.thread == None ) |
              ~( Status_t.thread << read ) |
              ( ( Status_t.last_read != Thread_t.comment ) &
                ( Status_t.uid == current_user )

Should be trivial right? Somehow I just doesn't seem to quickly figure out how it's done. Actually creating that horrible statement took quite a while. Without peewee ORM this would have been of course trivial, but I wanted to use ORM in the first place.

KW: Python, sql, database, databases, tables, table, query, queries, join, joining, joins.


posted Jul 12, 2014, 3:45 AM by Sami Lehtinen   [ updated Jul 12, 2014, 3:46 AM ] - Yet another authentication service. World is full of these services,
but I haven't yet found the one I would really love. Let's see if this would be the solution I could use for sites with lower security requirements. Why I said lower security? Main problem as I have earlier described is that mobile phone actually can't be used for high security authentication, because it's programmable computer itself. Especially in cases where keys are stored in the phone itself and are (directly) accessible via operating system.

First impression QR code login, reminds me immediately from SQRL (Secure Quick Reliable Login), which has been developing a lot lately. Basically this is okish solution. Works ok if you're not truly paranoid and you're using desktop to access systems and mobile phone for two-factor authentication. But there's immediately a problem when mobile phone itself is used to access these services. Now benefit of two-factor authentication is immediately lost, because the device is used for authentication and accessing the sites. Because mobile users are taking over the web, this is just more and more likely scenario. And after all only as good as any 'authentication application' on same device.

This list is actually directly from SQRLs page. (20140703)

Among the problems we have solved to create a practical solution, are:

 * How are identities backed up and/or cloned to other devices?
 * What about logging into a website displayed on the smart phones own browser?
 * What if the smart phone that contains my identity is lost or stolen?
 * What about password protecting logins on the phone?
 * What if the phone is hacked?
 * What about different people (and identities) sharing one phone?
 * What about having multiple identities for the same website?

I don't have great answers for those. Except that the password protecting logins on phone will make the experience even worse. First huge password to unlock phone, then even huger password to unlock the passwords ehh, logins / authentication information, etc. I guess this is just the reason why most of people don't care about security at all. They just use the same simple password on every site, or don't use any passwords / pins on device at all, if possible. On the other hand, logging in to a site from authentication application directly with single click is very user friendly method. So in this sense, they're right for sure, Saaspass is naturally a lot more secure than passwords. Although almost any solution which uses non-static random passwords is very secure compared to static and non-random passwords (the usual reference case). As well as getting rid of password resets is just great. Many sites seem to have high security, yet they still allow password resets using email, which is naturally a major fail.

So I can agree with them about this quote from their web pages: "This is the one authentication system that is actually easier to use than traditional login / password conventions and much more secure.". When that great feature is combined with the management portal, it's absolutely great solution. Because everyone at home, is suffering from logins & passwords, but businesses are suffering a lot more. Basically you have tens of different credentials and to cut down the work of maintaining the credentials usually there are shared accounts. Which leads to quite total loss of auditing and security. Because passwords might be widely shared and learned, changing such passwords is a bad thing, because everyone will be complaining after that. I've been blogging about this earlier. In some cases, the credential issuer doesn't even know which entities are using the password. So if you go and change it, everyone will be very unhappy. In some cases this might even break automated integrations etc. So, having efficient way to manage personal credentials is the way to go.

I personally think that the pin code for 4 digits is way too short. As far as I know, data isn't protected by something like SIM card, so it's totally possible to copy the credential storage and run off-line attack against it. In such case, 4 digits is 'nothing', even if it would be lengthened. Due to limited processing power on mobile phones, heavy password lengthening isn't great option either. So a lot longer password is required for such cases to achieve cryptographically feasible key. Of course if we can assume there won't be off-line attacks, 4 digits is bit on so so side anyway. It's worth of noting that this isn't only the 'default' setting, they do not allow stronger password than 4 digit pin.

I personally don't like the profiles feature. I think authentication application should be used to authenticate users, and not to manage (any) other user data. Yet, I can see situations where people would see this feature beneficial. Great thing is that nobody forces you to use this feature. Android mobile app didn't allow me to delete profiles, or I just couldn't find it. Anyway, they also provide link to the web portal, where deleting profiles is trivial. Unfortunately the web portal isn't mobile optimized, which was a surprise to me. I would have expected light, fast to use, and naturally mobile optimized site.

So if we get back to the Saaspass. They provide application for Mac & PC as well as mobile authentication applications for mobile phones iPhone (iOS), Android Phones and Windows Phone. First impression of the actual application is, wow, they have made so much work to get everything to this point. I also liked very much that the application didn't require excessively wide access rights (permissions). Also the list of supported authenticator(s) is awesome. So there's no need for the user to fine tune parameters of TOTP / HOTP / OATH / RFC6238 parameters. -  I just which more sites would actually support the QR code based login.

I tried SaasPass with Facebook just to see how things work out. But I assume this is a very nice solution for securing google apps (drive, etc) as well as Dropbox business logins as well as office 365, which has taken many business environments by storm. I almost forgot Salesforce, but I haven't ever used it, so it's easy to forget.

*)See next entry. What comes to SMS pin two-factor authentication, I'll find it quite annoying. So there's naturally room for improvement. Using mobile authentication in general, won't solve this problem, because the mobile security it self is on the way partly. Because now I first need to open password container, then I need to look for login name & password. After that I have to fill in the login form. Then I'll receive the SMS. Then I have to enter complex password to unlock the mobile phone. Then look for the two-factor password, then enter the password to computer, see that login is successful and then delete the SMS message. - That's very annoying. I often think, is this really worth of logging in. Because logging in itself is so annoying. Yes, security might be high, but especially for sites which you might like to login often, it's not fun at all. Actually this is one of the reasons, I'll try to log-in to some sites only weekly or on weekends.

But I can confess I'm using And I think they have made very much work to make it actually as secure as possible on modern mobile phones. Yet, it's usability is almost as bad as the previous item. First you'll need to enter the phone number to web site, then you'll have to unlock your phone. Yes, it's hard work if you use proper passwords, not four digit pins or some silly shapes or so. You'll need to wait for the authentication token. Then you'll need to give the private key unlock pin code to sign the token, and then wait for the signed token to get delivered back to server. Then server acknowledges your browser that it has received the token. Then the browser asks, that are you sure that you want to give this authentication token forward to this service, then click yet. And yeah, now you're done! Very simple, right? Well, not at all, slow and annoying. But at least it's very safe, as far as I know. Because Mobiilivarmenne is a lot safer than 99% of so called mobile authentication systems. It stored your private and key on SIM-card and requires PIN (not same as the regular SIM PIN) for access. - I'm only curious if it's still possible to steal the PIN with modified firmware on phone. This would also probably allow you to sign requests so that the user doesn't know about that at all. It's using Sim Application Toolkit features.

They also provide simple integration API for logging in, with login url (post) and instant registration. This is where the prefilled profile information comes handy. Many sites could provide easy login / account creation, but actually it's the collection of user data, which makes registration so painful. When data already exists in the authentication application, the registration process can be shortened greatly or in best case completely automated.

See: Saaspass FAQ. I also liked their FAQ because it doesn't contain bogus claims and also included information about potential but not so likely downfalls.
Also see: Developer page - There's just what I wanted to know, what kind of data is passed on when you register or login / sign-in / sign-on. I didn't try to create a service which would use Saaspass, but integrating it should be pretty trivial if required.

I personally do like very compact straight to the point documentation, but that's not enough. Basically with that documentation, you'll have to just try and see what the output is. I guess it's not hard from that to get the thing to work properly. But having it explicitly stated, instead of guessing from field names and data, is always better. (Although I'm way too used to guess.)

After using the Mobiilivarmenne, it became clear that they had thought many things that weren't clearly stated in the documentation. With the final user experience, you'll notice that many things were covered with I earlier (before using the application actually) speculated that could lack some vital elements.

More sites should support the QR code login. The TOTP authenticator solution can be used with 'any other similar applications'.

Last question? Would I use it? Yeah, why not. Looks good. Changes are I'm not going to use it, because I don't like 'extra apps'. But there aren't any particularly good reason why I wouldn't recommend this application for businesses and individuals looking for authentication solution with medium security requirements. And I'm now reminding that this is high security solution for normal users. My personal high security rating means, something what is tinfoil paranoid and NSA proof. ;)

Tags: Saaspass, OTP, TOPT, SSO (single sign-on), login, log-in, passwordless, secure, authentication, review, just few my of thoughts.

PyPy3, X-Road Europe, Google Dataflow, PyData, Google I/O, VLIV

posted Jul 12, 2014, 3:40 AM by Sami Lehtinen   [ updated Jul 12, 2014, 3:40 AM ]

Facebook, (FRA, NSA, BND), Sea cable, Algorithms, Stale lock, SSL/TLS, BI, OpenStreetMap/Nominatim

posted Jun 23, 2014, 12:09 AM by Sami Lehtinen   [ updated Jun 25, 2014, 12:06 AM ]

  • One research claimed that people don't especially trust Facebook and many other web services. That's exactly true. It's one of the reasons why LclBd service is NOT going to require user account or any user identifying information, except cookie / randomly generated user id. We're not asking for email, name or anything else. We think it's fair trade off, because in exchange we're asking for your location information to server you better with local content.Arstechnica writes that it's possible to snoop network traffic. Well, I did this trivially back in 1995 and nothing has changes since, except use of encryption. Yet during that time amount of different applications being used has exploded, and it's always possible to find a loophole to slip through.
  • Plan for Finland to build a sea cable to Germany to avoid FRA (+NSA) snooping seems to be pretty much a complete failure on some levels. NSA is also spying in Germany. Great plan! Ok, it was trivial to guess this already. See: BND
  • Decision tree - Checked it out, while implementing Bayesian filtering for LclBd. Bayes Theorem.
  • Carefully studied quarterly cyber security review by Finnish Cyber Security Bureau.
  • Encountered stale lock with Deluge BitTorrent client. Client didn't start, before I manually deleted the lock file. This is one of the reasons why I implemented my own locking lib, because I'm sick'n'tired of stale locks as well as issues that require manual intervention on servers. Things just should work, even if something hasn't worked exactly as assumed.
  • As we know SSL/TLS certificates are a huge mess. Maybe this new Online Certificate Status Protocol could solve the problem, my validating certificates online. Current problem is that nobody checks for certificate revocations and doing it is quite pointless because attacker can prevent checks when required if that seems to be appropriate action to do.
  • Software providers want to push BI services to smaller companies. I think that sales of BI systems alone isn't going to do it. There should be clear use cases where there are benefits to be gained. Adopting technology X won't bring anything else than costs, if it's not thought carefully what it's being used for. If suitable data sources are available, and there's even one competent and analytical person, it's highly probable that using something simple and efficient like Tableau will bring information insights for the organization. Implementing something rigid and expensive, is quite a bad plan.
  • OpenStreetMap/Nominatim reverse Geocoding gives strange results at times. How this query returns only the house number, no information about street, city, country, etc. - Actually they deleted the object it was referring to, before this post got published. So now it returns expected information.
  • Something different: Low probability intercept radar, Computer generated holography, Stealth technology, Passive radar, Multistatic radar.

Vacation fun, lot of mixed stuff links I've been reading and studying

posted Jun 17, 2014, 2:03 AM by Sami Lehtinen   [ updated Jun 18, 2014, 2:29 AM ]

BSBTC, ROTACS, Java 8, GAE, Birthday Pradox, Ubuntu, DDoS Mitigation

posted Jun 13, 2014, 4:20 AM by Sami Lehtinen   [ updated Jun 13, 2014, 4:23 AM ]

Summer vacation fun:

Blog backlog is still just growing. I'll try to extract it some rainy day, when having a right feeling to do it. It now contains 612 entries, aww.

1-10 of 160