Blog

My personal blog about stuff I do, like and I'am interested in. If you have any questions, feel free to mail me! My views and opinions are naturally my own and do not represent anyone else or other organizations.

[ Full list of blog posts ]

SQLite3 performance, Python ORM, MongoDB, speed

posted Sep 26, 2014, 10:23 PM by Sami Lehtinen   [ updated Sep 26, 2014, 10:24 PM ]

I'm using SQLite for most of my projects, in production and for hobby. When Python ORM is required, I'm using peewee. One of most important features of SQLite is that it's included in Python base libs. One very important factor is that it's also faster than many other databases out there. What? Faster? Yes, because it runs in the process, and doesn't require context change to proceed. So if I make 100k queries looking up information, it's probably fastest using SQLite than other databases, which run in their own process.

Timing 100k reads from database: MongoDB: 43.3 s SQLite: 19.4 s

Same test with 4 parallel threads MongoDB: 29.9 s SQLite: 25.1 s

So as we can see, SQLite is much faster for single thread batch processing that most of other databases. With 4 concurrent threads SQLite is still faster than MongoDB.

About web sites, when using WAL mode, I can handle easily over 200 write transactions / second using very light single core VPS server with SSD. This means that it should be trivial to handle at least a few million hits / day, each with a few write transactions. Basically other things start to block at least with that server, before the pure database lock, write, release cycle becomes the bottle neck.

Also check out this great link: SQLite: Small. Fast. Reliable. Choose any three.

Renewed server SSL cert & configuration

posted Sep 21, 2014, 6:25 AM by Sami Lehtinen   [ updated Sep 21, 2014, 6:55 AM ]

Renewed my server certs, new fingerprints are:

SHA-256 fingerprint:
BB:83:53:16:23:2D:A5:01:90:DA:2E:2C:51:D9:9A:64:66:F3:21:81:A0:95:CF:41:41:61:C3:D1:A3:00:15:2A

SHA-1 fingerprint:
A5:F8:E3:0F:3F:7B:EB:99:D3:4C:3D:09:39:4C:D0:86:C5:F6:D2:C6

These can be used for SMTP server cert fingerprinting, or you can use secure mode to communicate with my server, instead of opportunistic encryption without certificate authentication.

Cert is valid till 22.09.2015, as usual I also renewed private keys, and now whole cert chain is using SHA-2 / SHA-256. Also RSA keys are 4096 bit and Elliptic Curve keys are at least 256 bits. Ephemeral ECDHE or DHE session key negotiation is used whenever possible. But you'll see all that from SSL Report.

Now Qualys SSL LABS SSL Report nicely says that my server is A+ class.

I haven't yet bothered to configure DANE as one of my friends has done. Configuring DANE or OCSP would be nice, but I think weather is still too nice for that. But I have verified that my server properly uses DANE for domains which have it configured. So you can use tls_policy dane-only for such domains to verify that email isn't being sent without encryption.

Google Key Distribution End-to-End & CloudFlare Keyless SSL

posted Sep 21, 2014, 4:28 AM by Sami Lehtinen   [ updated Sep 21, 2014, 4:35 AM ]

Studied: Google Key Distribution End-to-End

My comment: This tells that if they take such bad security of their systems, you shouldn't trust them with nay secrets anyway! It's common misunderstanding, that using 'strong cryptography' would turn common people into high security experts. Even if you can very securely communicate with their devices, it really doesn't mean that rest of the system or their personal behavior would be up to the required security level. Ie, software can't make things secure after all. It requires much more than that.

Keywords only: KeyDistribution High level key distribution / key discovery plans. Featured Updated Aug 15, 2014 by evn@google.com Overview Convergence and Certificate Transparency. End-to-End
Key Directory, Public Key, Identity Providers, Monitors, Revocation, Certificate Transparency, Verifiable Map, Defective, Malicious, Compromised, Transparency, verify fingerprints manually, caveats. Redundancy. To prevent this, a user could choose to register to the key directory in a way that doesn't allow key rotations (every new key must be signed by it's previous key), but it has the inconvenience of not being able to recover after losing all copies and backups of a key. Bruteforce, OpenPGP Key Blocks,

Studied: CloudFlare Keyless SSL

My comment: Doing it is not special as they claim, see PCKS #11. Nice thing otherwise. I'm sure some of the largest CDN / network operators are doing something kind of similar, but they're not marketing it as well as CloudFlare. Many of things have been done internally in many companies, but maybe they might consider it a trade secret, and not be boasting about it.

Keywords only: Keyless SSL: The Nitty Gritty Technical Details 19 Sep 2014 by Nick Sullivan. CloudFlare's Keyless SSL Transport Layer Security (TLS). Hardcore tech enthusiasts. Confidentiality and authentication. Securely communicating, symmetric encryption: strong block cipher, Authentication, public keys. Certificates, public key cryptography, technical details, web certificates, CFSSL. Secure Sockets Layer (SSL) protocol, Internet Engineering Task Force (IETF). RSA and Diffie-Hellman (DH). Modern cryptography, TLS handshake. Forward secrecy (FS, PFS), ECDSA, Elliptic curves,
elliptic curve DSA, random bytes. Nonce. “pseudorandom function”, Cipher suite, unique identifier, key establishment, hash function, Advanced Encryption Standard (AES), Cipher Block Chaining (CBC)
Secure Hashing Algorithm (SHA), Cipher Suite: “ECDHE-ECDSA-AES256-GCM-SHA384”, Elliptic Curve Diffie-Hellman Ephemeral (ECDHE), Elliptic Curve Digital Signature Algorithms (ECDSA), Galois/Counter mode (GCM), cipher suites. Server Name Indication (SNI), Key Exchange, validating, validation, session key, private key, premaster secret, Ephemeral Diffie-Hellman, modular arithmetic. Discrete logarithm, pre-master secret, security and performance, hardware security module (HSM), scale, load balancing, cryptographic oracle, X.509 Extended Key Usage, strongest ciphers available, round-trips, connection latency, persistent connections. Abbreviated handshake, session resumption, session tickets, session IDs, ID, ticket, advanced session resumption capabilities, worldwide session resumption. Keys rotated, rotating, key generator, Kyoto Tycoon. Anycast network, data center, caching, cache an encrypted, NGINX, authenticated replication. Reference implementation, persistent connections.

Thoughts after this reading & blogging keywords marathon? Well, actually Kindle creates quite sparse highlights file. So I think I'll have to write Python script which automatically parses and compacts and dedupes these dumps.

Windows 8.1 real power saving using hibernate option

posted Sep 20, 2014, 11:13 PM by Sami Lehtinen   [ updated Sep 20, 2014, 11:14 PM ]

Many claim that hibernate isn't required. But it is. In some specific use cases hibernate would be preferable because of the use environment and software. Software is very slow to start as well as requires complex login procedures. Environment requires extended battery life and there is no possibility to charge the devices. In this case hibernate is just what's required afaik. Application state is saved and there's really near zero power consumption.

Microsoft Windows [Version 6.3.9600]
 
C:\Users\Winblows>powercfg /?
 
POWERCFG /COMMAND [ARGUMENTS]
 
Description:
  Enables users to control power settings on a local system.
 
  For detailed command and option information, run "POWERCFG /? <COMMAND>"
 
Command List:
  /HIBERNATE, /H     Enables and disables the hibernate feature.
 
  /AVAILABLESLEEPSTATES, /A
                     Reports the sleep states available on the system.
 
C:\Users\Winblows>powercfg /A
The following sleep states are available on this system:
    Standby (Connected)
    Hibernate
    Fast Startup
 
The following sleep states are not available on this system:
    Standby (S1)
        The system firmware does not support this standby state.
        This standby state is disabled when connected standby is supported.
 
    Standby (S2)
        The system firmware does not support this standby state.
        This standby state is disabled when connected standby is supported.
 
    Standby (S3)
        The system firmware does not support this standby state.
        This standby state is disabled when connected standby is supported.
 
    Hybrid Sleep
        Standby (S3) is not available.
 
C:\Users\Winblows>powercfg /h
Invalid Parameters -- try "/?" for help
 
C:\Users\Winblows>

 

Why, why sleep isn't possible, even if following sleep states are available. What I'm doing wrong? I've read about 50 instructions and guides from net, about this problem. And all those are unfortunately really bad ones and do not actually work out. Even manufacturer said that yes, it should be able to sleep, but alas, it doesn't work anyway. 
 
Now, who's the real guru, and knows how to hibernate a Windows system?
 
Wonderful play goes on. Now the tablet is in safe mode, and doesn't allow logging in. Yes, USB keyboard wasn't required after all for entering the safe-mode. After all also the the on screen keyboard does work in safe-mode. But logging in using the Windops PIN login doesn't work, even if the option is available. This is ridiculous. Usability is unfortunately extremely bad with tablets with Windows 8.1.
 
It turns out that safe-mode does offer and technically allow PIN login, but it doesn't work, so you can't login using it after all. Lol. With password, it works and that's ok. After that it's possible to use on screen keyboard which is extremely painful but does technically work. Using it I was able to run msconfig and also issue powercfg.exe /h on command. Let's see if it helps at all.
 
I'll also try disabling fast boot, if it already uses hibernate partially for kernel stuff and so on.  This doesn't affect the process in anyway, leave fastboot on, it's ok.
 
After all this testing and tuning, it did seem that best option is to create idle timer task, which triggers shutdown.exe /h when system has been unused for certain time period. So it can first sleep for a while like 15 minutes, and if nothing happens, then hibernate on demand.
 
Using schtasks, from command line is nice, but it doesn't offer enough parameters and flexibility in this case. So it won't let you configure required parameters for this kind of task. Creating tasks was easy but not trivial using New-ScheduledTask and powershell scripting (ps1).  Uuhh.

Now I finally have configured large batch of tables to hibernate, when un-used. This is really important thing, because without hibernation, battery does run out ridiculously fast.

kw: sleep, Microsoft, Windows 8.1, hibernate, powercfg, power saving, scripting, tablet, tablets, battery life, drain, drains, draining, time, short, minimal, maximal, save, extended, extended.

Things which delay integration projects

posted Sep 20, 2014, 10:40 PM by Sami Lehtinen   [ updated Sep 20, 2014, 10:41 PM ]

Just a list of some of the little things, which often delay integration projects:

1. Integrator doesn't have any test cases on any data to execute tests on. Customer doesn't care to provide required information to integrator.
2. Integrator says that they're working on this project only on fridays, or their key personnels are on vacation.
3. Integrator notices serious internal problems with their own product and finding and fixing the problem takes arbitrary amount of time.
4. Customer requires that some parts of the integration are done in very specific way, which isn't supported by standard products. This leads to situation where support for these things has to be added by all parties.
5. Integrator says that it's impossible to get something done like it's specified. Then the customer tells the integrator that it has to be done anyway. Integrator says it's impossible, but after having external consult view the problem, integraator suddenly says that now it's possible. How things that were impossible can suddenly become possible? That's shomething what is very strage. Again time is lost and no progress is made during these fruitless negotiations.
6. Project management has agreed that thing X will be done, but everybody's ignoring the fact. But in the final testing before going live or even in some cases after that, then there's the questioning hanging around how X can be done. Nobody got the answer, because everybody has been ignoring the fact that nobody's doing anything about it.

2014 summer reading topics, keywords and links

posted Sep 20, 2014, 10:35 PM by Sami Lehtinen   [ updated Sep 20, 2014, 10:52 PM ]

These are the topics I would have liked to write about, or share links. But I just don't have time for it. So here's really compact dump of interesting stuff.

I got so much summer reading also in Finnish, that I'm just going to drop very compact keyword dump here about topics, I'm interested about and did read during my summer vacation. So if you're interested about some special topic, just contact me, and I'll tell more about it. Are you supposed to read this dump? - Nope, but if you found this page, just ask for more.

When I said, that I've been out and reading during the summer. I wasn't lying. Here's some of the stuff I've been reading during my summer out. This is one of the reasons why I haven't been inside coding, blogging and posting.

Books

Innovator's Dilemma (Clayton Christensen)

Richard S. Rosenbloom’s study of the transition by National Cash Register from electro-mechanical to electronic technology. (See Richard S. Rosenbloom, “From Gears to Chips: The Transformation of NCR and Harris in the Digital Era,” Working paper, Harvard Business School Business History Seminar, 1988). In this case, NCR was very late in its industry in developing and launching a line of electronic cash registers. So late was NCR with this technology, in fact, that its sales of new cash registers dropped essentially to zero for an entire year in the early 1980s. Nonetheless, the company had such a strong field service capability that it survived by serving its installed base for the year it took to develop and launch its electronic cash registers. NCR then leveraged the strength of its brand name and field sales presence to quickly recapture its share of the market.
Managers often sense that acquiring rather than developing a set of capabilities makes competitive and financial sense. The RPV model can be a useful way to frame the challenge of integrating acquired organizations. Acquiring managers need to begin by asking, “What is it that really created the value that I just paid so dearly for? Did I justify the price because of its resources—its people, products, technology, market position, and so on? Or, was a substantial portion of its worth created by processes and values—unique ways of working and decision-making that have enabled the company to understand and satisfy customers, and develop, make, and deliver new products and services in a timely way?
When disruptive change appears on the horizon, managers need to assemble the capabilities to confront the change before it has affected the mainstream business. In other words, they need an organization that is geared toward the new challenge before the old one, whose processes are tuned to the existing business model, has reached a crisis that demands fundamental change.
A separate organization is required when the mainstream organization’s values would render it incapable of focusing resources on the innovation project.
Managers whose organizations are confronting change must first determine that they have the resources required to succeed. They then need to ask a separate question: does the organization have the processes and values to succeed? Asking this second question is not as instinctive for most managers because the processes by which work is done and the values by which employees make their decisions have served them well.
The performance oversupply framework may help consultants, managers, and researchers to understand the frustrated comments they regularly hear from salespeople beaten down in price negotiations with customers: “Those stupid guys are just treating our product like it was a commodity. Can’t they see how much better our product is than the competition’s?” It may, in fact, be the case that the product offerings of competitors in a market continue to be differentiated from each other. But differentiation loses its meaning when the features and functionality have exceeded what the market demands.
The disruptive technology often succeeds both because it satisfies the market’s need for functionality, in terms of the buying hierarchy, and because it is simpler, cheaper, and more reliable and convenient than mainstream products.
Because established companies are so prone to push for high-performance, high-profit products and markets, they find it very difficult not to overload their first disruptive products with features and functionality.
Quicken dominates its market because it is easy and convenient. Its makers pride themselves on the fact that the vast majority of Quicken customers simply buy the program, boot it up on their computers, and begin using it without having to read the instruction manual. Its developers made it so convenient to use, and continue to make it simpler and more convenient, by watching how customers use the product, not by listening to what they or the “experts” say they need.
By watching for small hints of where the product might be difficult or confusing to use, the developers direct their energies toward a progressively simpler, more convenient product that provides adequate, rather than superior, functionality.5
Cook decided that the makers of accounting software for small businesses had overshot the functionality required by that market, thus creating an opportunity for a disruptive software technology that provided adequate, not superior functionality and was simple and more convenient to use. Intuit’s disruptive Quickbooks changed the basis of product competition from functionality to convenience and captured 70 percent of its market within two years of its introduction. Disruptive technology should be framed as a marketing challenge, not a technological one.

Book: The Innovator's Solution (Clayton Christensen)

Assessing disruptive potential Executives must answer three sets of questions to determine whether an idea has disruptive potential. The first set explores whether the idea can become a new-market disruption. For this to happen, answers to at least one and generally both of two questions must be positive: * Is there a large population of people who historically have not had the money, equipment, or skill to do this thing for themselves, and as a result have gone without it altogether or have needed to pay someone with more expertise to do it for them? * To use the product or service, do customers need to go to an inconvenient, centralized location? If the technology can be developed so that a large population of less skilled or less affluent people can begin owning and using, in a more convenient context, something that historically was available only to more skilled or more affluent people in a centralized, inconvenient location, then there is potential for converting the idea into a new market disruption. The second set of questions explores the potential for a low-end disruption. This is possible if the answer is yes to two questions:
* Are there customers at the low end of the market who would be happy to purchase a product with less performance if they could get it at a lower price? * Can we create a business model that enables us to earn attractive profits at the discount prices required to win the business of these overserved customers at the low end? Often, the innovations that enable low-end disruption are improvements that reduce overhead costs, enabling a company to earn attractive returns on lower gross margins, coupled with improvements in manufacturing or business processes that turn assets faster.
“What do we need to master today, and what will we need to master in the future, in order to excel on the trajectory of improvement that customers will define as important?”
As the basis of competition shifts, companies must be able to learn new things, instead of clinging hopefully to the sources of past
Money needs to be impatient for profit. When new ventures are expected to generate profit relatively quickly, management is forced to test as quickly as possible the assumption that customers will be happy to pay a profitable price for the product. If a venture’s management can keep returning to the corporate treasury to fund continuing losses, managers can postpone this critical test and pursue the wrong strategy for a long time. Expectations of early profit also help a venture’s managers to keep fixed costs low. Early profitability also protects a growth venture from cutbacks when the corporate bottom line turns sour.
Launch new growth businesses regularly when the core is still healthy – when it can still be patient for growth – not when financial results signal the need.
* A strategy that targets customers and markets that look attractive to an established competitor is unlikely to succeed. Instead, the team should identify a niche segment that established competitors will be happy to ignore or be relieved to walk away from. This is a point which Peter Drucker also has made in his book, “Innovation and Entrepreneurship.”
* Serving customers who have not found the product they want so far makes a lot of sense. If there are no nonconsumers available, the team must explore whether at the low end of the market, there are customers who can’t use all the functionality for which they currently must pay.
* Innovation means putting ourselves in the shoes of customers. Companies must look for ways to help customers get done more conveniently and inexpensively what they have been trying to get done unsuccessfully in the past.
Indeed, if corporate management is desperate to make a new venture very big very fast, it means introducing a disruptive technology into an established market. Chances of success are remote.

ENISA Cloud Security

Gartner 2012: Almost 33% of the organisations polled are either already using or planning to use cloud based SaaS offerings to augment their Business Intelligence functions.
Amazon reports having customers like Zynga, Animoto, Reddit, MySpace, Netflix, Dropbox, airbnb, Ericssons, European Space Agency, HootSuite, IBM, Mahindra Satyam, Newsweek, UniCredit, Spiegel.Tv, PBS, Yelp, IMDB, Linden Labs, FourSquare, SmugSmug, Alexa, The Guardian, Farmville, Sitepoint, EventBrite.  Rackspace 2011: By the end of 2011 Rackspace reportedly served 172,510 customers, including Transport of London, Virgin Trains, UK MoD, NHS Direct, Fiverr, Pitchfork, The Register, the Royal Navy, and TweetPhoto. 3 http://blog.deepfield.net/2012/04/18/how-big-is-amazons-cloud/ 4 Critical Cloud Computing CIIP Perspective on Cloud Computing  Google 2011: Google reports that Google Apps customers include US General Services Adminstration, Essilor, Ispen, BBVA Spain, Capgemini, SNL Financials, Salesforce.com, Essence, The Guradian, LSI Logic, The Telegraph, and so on.
Its set of customers includes Aer Lingus, Dow Chemicals, Hyatt Hotels, Univ. of Georgia, Los Angeles Community College District etc.
In 2012 the NASDAQ OMX Group announced the launch of FinQloud, a new cloud computing platform powered by Amazon Web Servicses and exclusively designed for the financial services industry.

PCI SSC Standard. Information Supplement * PCI DSS Cloud Computing Guidelines

For example, in a private-cloud deployment, an organization could either implement adequate segmentation to isolate in-scope systems from other systems and services, or they could consider their private cloud to be wholly in scope for PCI DSS. In a public cloud, the client organization and CSP will need to work closely together to define and verify scope boundaries, as both parties will have systems and services in scope.
It is recommended that data-security needs are evaluated for all types of information being migrated to a cloud environment, not only cardholder data. For example, operational data, security policies and procedures, system configurations and build standards, log files, audit reports, authentication credentials, cryptographic keys, incident response plans, and employee contact details are just some of the types of data with different security requirements that may need to be considered. If data security processes are not clearly defined and documented, the data may be unintentionally exposed or subject to unnecessary risk that could result in loss or inappropriate disclosure.
How are least-privilege and need-to-know determined for CSP personnel?

HIPAA check list

Do you have formal sanctions against employees who fail to comply with security policies and procedures?
Have you implemented procedures to regularly review records of IS activity such as audit logs, access reports, and security incident tracking?
Technical Safeguards Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).24 Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.25 Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.26 Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.27
Deploy file integrity monitoring tools to alert personnel to unauthorized modification of critical those components may contain system files, configuration files or content files.

The Dangers of Surveillance (Neil M. Richards)

The NSA is building a massive supercomputing facility in the Utah desert, possibly with the goal of capturing and archiving much of the world’s Internet traffic, with a view to decrypting and searching it as decryption technologies inevitably advance.16
But in a postmodern age of “liquid surveillance,”
Panopticon, a prison designed around a central surveillance tower from which a warden could see into all of the cells. In the Panopticon, prisoners had to conform their activities to those desired by the prison staff because they had no idea when they were being watched.
The fear of being watched causes people to act and think differently from the way they might otherwise.
For example, one study of the EU Data Retention Directive notes that “[u]nder pervasive surveillance, individuals are inclined to make choices that conform to mainstream expectations.”83
the coercive effects of monitoring by our friends and acquaintances are much more common.
Bitmessage: A Peer to Peer Message Authentication and Delivery System Jonathan Warren bitmessage@jonwarren.org www.Bitmessage.org

Securing The Cloud

Securing the Cloud Cloud Computer Security Techniques and Tactics This page intentionally left blank Securing the Cloud Cloud Computer Security Techniques and Tactics Vic (J.R.) Winkler Technical Editor Bill Meine
The term Defense in-depth in computer and network security was first documented in a 1996 paper Information Warfare and Dynamic Information Defense,3 and was adopted from military operations. This approach has been used for system and net- work security under a number of names, including layered defense.
Overview of cloud security monitoring architecture. PLANNING KEY STRATEGIES FOR SECURE OPERATION
While the use of encryption is a key component for cloud security, even the most robust encryption is pointless if the keys are exposed or if encryption end- points are insecure.
Security triad (confidentiality, integrity, and availability) along with risk tolerance drives the nature of data protection mechanisms, procedures, and processes.
Provider Personnel with Privileged Access Another risk to cloud data security has to do with a number of potential vectors for inappropriate access to customer sensitive data by cloud personnel. Plainly sta- ted, outsourced services—be they cloud-based or not—can bypass the typical con- trols that IT organizations typically enforce via physical and logical controls. This risk is a function of two primary factors: first, it largely has to do with the poten- tial for exposure with unencrypted data and second, it has to do with privileged cloud provider personnel access to that data. Evaluating this risk largely entails 132 CHAPTER 5 Securing the Cloud: Data Security CSP practices and assurances that CSP personnel with privileged access will not access customer data.
For data in motion, encryption keys can be ephemeral, whereas for data at rest, keys must be retained for as long as the stored data is kept encrypted.
When you need to use cryptography in your cloud implementation, remember: * Developing cryptographic algorithms is a specialized and difficult challenge. * Correctly implementing cryptography in software is nearly as difficult. * Many products use cryptography in deeply flawed ways. * A single flaw in cryptography undermines security, much as a weak link compromises the integrity of the entire chain. * Many commercial and free cryptographic products have been shown to be insecure. There is a long history of products that do not work as claimed, products that are flawed, and products that use algorithms that have not been subjected to the test of time or the scrutiny of other cryptographers. Based on past experiences, it is wise to be skeptical about claims regarding a new product with a revolutionary or patent-pending cryptographic algorithm or some secret technique. The road to better cryptography is littered with products that failed to meet some or all advertised claims. * Especially to be avoided are products that use secret cryptographic algorithms. Pick a cryptographic solution that is based on a recognized algorithm that has withstood the test of time and whose implementation has been tested by a recognized testing organization. * Pick a known product that uses a thoroughly vetted algorithm and obtain it through secure means—don’t download cryptographic or security software from Internet-based servers without the means to verify the content.
Asymmetric cryptography (also known as in public–private key cryptography),
Using FTP, telnet, or HTTP rather than a secured version of these plaintext protocols is simply negligent. Network packet sniffing is a pastime on many machines that take part in sending packets back and forth between your laptop and a cloud-based service. Although these protocols should have been retired long ago, they are still common and being available they are used. No cloud implementation should allow these, and they should probably all be blocked as services.
But all are based on a combination of authentication factors: something an individual knows (such as a password), something they possess (such as a security token), or some measurable quality that is intrinsic to them (such as a fingerprint).
Federated identity management (FIM) is an effective foundation for identity in cloud computing.
April 2010 Domain 12: Guidance for Identity & Access Management V2.1 that was prepared by the Cloud Security Alliance.A
Discretionary Access Control (DAC) In a system, every object has an owner.
* Role Based Access Control (RBAC) Access policy is determined by the system. Where with MAC access is based on subject trust or clearance, with Awww.cloudsecurityalliance.org/guidance/csaguide-dom12.pdf
* Mandatory Access Control (MAC) Access policy is determined by the system and is implemented by sensitivity labels, which are assigned to each subject and object.
RBAC access is based on the role of the subject. A subject can access an object or execute a function only if their set of permissions—or role—allows it.
Figure 5.5 depicts this point by contrasting MAC with discretionary access controls (DAC) and role-based access controls (RBAC).
Data Categorization and the Use of Data Labels Putting in place effective and appropriate controls for information systems requires an understanding of the nature of the information. In this regard, sensitive or otherwise valuable data should be categorized to support data security. By identi- fying data according to sensitivity, one can implement various strategies to better protect such data. Unfortunately, understanding what other cloud data may require protection may not always be clear.
Procedures are also necessary for security across phases of the data life cycle, for instance, to limit exposure of such data when we create copies or backups. Also, we need mechanisms to detect when the valuable resource is accessed in ways that warrant concern. Data or information labeling is one information security technique that has been used to great success for classified information such as the hierarchical cate- gories of Unclassified, Confidential, Secret, Top Secret, and Compartmented.
a relatively small percentage of sensitive data is mixed in with far more nonsensitive data and is accessible to anyone with overall access. Failing to identify sensitive data complicates incident resolution and can be proble- matic when compromised data includes data subject to regulatory controls.
The site sidechannelattacks.com has an extensive list of different types of side channel attacks.B
No matter how security conscious Facebook subscribers were, they were exposed simply because their data was in the Facebook service.
a. Clearing. Clearing is the process of eradicating the data on media before reusing the media in an environment that provides an acceptable level of protection for the data that was on the media before clearing.
b. Sanitization. Sanitization is the process of removing the data from media before reusing the media in an environment that does not provide an acceptable level of protection for the data that was in the media before sanitizing.
If a subscriber deletes a portion of the data and the cloud provider backs up that data every night to tape and archives tapes for 6 months, that data is existing well past the point that the sub- scriber deleted it and the subscriber cannot do anything to influence this.
A common data masking technique involves substitution of actual data values with keys to an external lookup table that holds the actual data values.
Exadata oracle
Avoiding Cloud Lock-in
The biggest risks to your data may well reside with the CSP personnel accessing your data or mishandling your data in its various forms.
* A sound security strategy
CHAPTER 6 Securing the Cloud: Key Strategies and Best Practices
In contrast, implement- ing only marginal security is asking for trouble, and trouble will most likely come in the form of much higher remediation costs along with excessive damages.
* Implement Security Controls This involves architecture, engineering, and expertise in the placement and configuration of security controls. * Assess Security Controls This step seeks to determine the effectiveness of implemented controls and involves verifying that controls are correctly implemented and operating as intended. * Periodic Review and Update Security measures must be reviewed on a periodic basis to determine their continuing efficacy in light of mission and operational changes.
As stated above, cost savings in operations will largely stem from the planning and implementation phases.
An Information Security Frame- work)
NIST Special Publication 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations
CHAPTER 6 Securing the Cloud: Key Strategies and Best Practices ID Family Class AC Access control Technical AT Awareness and training Operational AU Audit and accountability Technical CA Security assessment and authorization Management CM Configuration management Operational CP Contingency planning Operational IA Identification and authentication Technical IR Incident response Operational MA Maintenance Operational MP Media protection Operational PE Physical and environmental protection Operational PL Planning Management PS Personnel security Operational RA Risk assessment Management SA System and services acquisition Management SC System and communications protection Technical SI System and information integrity Operational PM Program management Management FIGURE 6.2 NIST’s security control classes, families, and identifiers.2
Infosec mngt prgm, full spectrum policies, technical controls,
Capability Maturity Model (CMM, Chapter 1) and the Information Techno- logy Infrastructure Library (ITIL) with its best practices for IT service management.
a lightweight set of homegrown best practices
Implementing compensating security controls around poorly designed applications or systems does not guarantee any result other than greater complex- ity.
Security controls must not only be appropriate but also be effective and easy to comprehend and navigate by users and administrators.
The need for a sound security policy cannot be over emphasized.
Threat Categorization, Threat Impact, Threat Frequency along with the Uncertainty Factor of getting the first three right.
Risk analysis and orient the selection of security controls (security life cycle), Risk management. Use Case Discussion Group Service Automation, Workload and Service Management, and Security Practices. Key Strategies and Best Practices, Private Clouds: Motivation and Overview, Business Continuity and Disaster Recovery, SAS70, ISO 27001/2,
PCI A standard, Cloud Security Alliance (CSA),
Business Continuity Recovery point objective (RPO) is the maximum amount of data loss that is acceptable after a data loss incident. This is expressed in terms of time, namely the point in time before the event back to which data can be successfully recovered. In other words, the time of the most recent reliable backup. Recovery Time Objective (RTO) is the maximum amount of time that is acceptable for restoring and regaining access to data after a disruption. Factored into RPO and RTO are loss of revenue and the extent to which a disrupted process impacts business continuity. RPO and RTO will vary widely, depending on the requirements of the business function.
Security Information and Event Management (SIEM) sometimes also known as Security Event Management (SEM) SIEM can be very expensive, but it addresses several key security needs.
As a result, this team is often called a security operations center (SOC) and not a network operations center (NOC). Concept called coresidence.
Foundational security Defense in depth Operational security Policy, standards, and guidelines Software assurance Data center: Physical security Transparency Network security Data center: Power and networking Personnel security Host and VM security Data center: Asset management Third party providers PaaS and SaaS Operational practices Identity and access management Incident management Authentication Key management Business considerations Cryptography
These include business continuity planning along with contingency and disaster recovery planning. There are many sources for these areas, including:
Good Practice Guidelines can be downloaded from: www.thebcicertificate.org/ bci_gpg.html * And the Business Continuity Institute is located at
* The Cloud Security Alliance: * www.cloudsecurityalliance.org * www.linkedin.com/groups?mostPopular=&gid=1864210 * http://groups.google.com/group/cloudsecurityalliance * CloudAudit: * www.cloudaudit.org/ * http://groups.google.com/group/cloudaudit * The Trusted Computing Group: * www.trustedcomputinggroup.org/solutions/cloud_security * www.linkedin.com/groups?mostPopular=&gid=3254114 * CloudSecurity.org (http://cloudsecurity.org/forum/index.php) is not very active but has
With all these cloud security groups, one of the best ways to stay informed is to join the major high-level cloud interest groups and follow general trends in the field. Periodic research via web searching should identify other specific interest area groups as they arise.
Complex steps and procedures are generally not optimized, and by their nature, they present greater opportunity for error and failure. By contrast, simpler and more atomic steps can be more robust and reliable.
Information Security Management
In the 1990s, the Information Security Forum (ISF) published the Standard of Good Practice (SoGP), which identified a comprehensive set of information secur- ity best practices.
ISO/IEC 27002 and COBIT.

Index of the book:
Introduction to Cloud Computing and Security. Understanding Cloud Computing, Cloud Scale, Patterns, and Operational Efficiency, Synergistic Trick 3 Elasticity, Shape Shifting, and Security. The IT Foundation for Cloud Cloud Computing as Foundation for Cloud Services. Cloud Computing Qualities. The Bottom Line. An Historical View: Roots of Cloud Computing. Decentralization and Proliferation. Networking, the Internet, and the Web. Virtualization. A Brief Primer on Security: From 50,000 ft. Terminology and Principles. Risk Management. Security Must Become a Business Enabler. A Brief Primer on Architecture. Systems Engineering. IT Architecture. Security Architecture: A Brief Discussion. Defense in Depth. Cloud Is Driving Broad Changes. Cloud Works Today. Valid Concerns. Cloud Computing Architecture. Cloud Reference Architecture. Revisiting Essential Characteristics. Cloud Service Models. Cloud Deployment Models. Control over Security in the Cloud Model. Cloud Application Programming Interfaces (API). Making Sense of Cloud Deployment. Public Clouds. Private Clouds. Community Clouds. Hybrid Clouds. Making Sense of Services Models. Cloud Software-as-a-Service. Cloud Platform-as-a-Service. Cloud Infrastructure-as-a-Service. How Clouds Are Formed and Key Examples. Using Virtualization to Form Clouds. Using Applications or Services to Form Clouds. Real-world Cloud Usage Scenarios. Virtualization Formed Clouds. Application/Service Formed Clouds. Hybrid Cloud Models. Security Concerns, Risk Issues, and Legal Aspects. Cloud Computing: Security Concerns. A Closer Examination: Virtualization. A Closer Examination: Provisioning. A Closer Examination: Cloud Storage. A Closer Examination: Cloud Operation, Security, and Networking. Assessing Your Risk Tolerance in Cloud Computing. Assessing the Risk. Information Assets and Risk. Privacy and Confidentiality Concerns. Data Ownership and Locale Concerns. Auditing and Forensics. Emerging Threats. So, Is It Safe? Legal and Regulatory Issues. Third Parties. Data Privacy. Litigation. Securing the Cloud: Architecture. Security Requirements for the Architecture. Physical Security. Cloud Security Standards and Policies. Cloud Security Requirements. Security Patterns and Architectural Elements. Defense In-depth. Honeypots. Sandboxes. Network Patterns. The Importance of a CMDB, Cabling Patterns. Resilience and Grace. Planning for Change. Cloud Security Architecture. Cloud Maturity and How It Relates to Security. Jericho Forum. Representative Commercial Cloud Architectures. Representative Cloud Security Architectures. Planning Key Strategies for Secure Operation. Classifying Data and Systems. Define Valid Roles for Cloud Personnel and Customers. Securing the Cloud: Data Security. Overview of Data Security in Cloud Computing. Control over Data and Public Cloud Economics. Organizational Responsibility: Ownership and Custodianship. Data at Rest. Data in Motion. Common Risks with Cloud Data Security. Data Encryption: Applications and Limits. Overview of Cryptographic Techniques. Common Mistakes or Errors with Data Encryption. Cloud Data Security: Sensitive Data Categorization. Authentication and Identity. Access Control Techniques. Data Categorization and the Use of Data Labels. Application of Encryption for Data at Rest. Application of Encryption for Data in Motion. Impediments to Encryption in the Cloud. Deletion of Data. Data Masking. Cloud Data Storage. Cloud Lock-in (the Roach Motel Syndrome). Metadata. Avoiding Cloud Lock-in (the Roach Motel Syndrome). Securing the Cloud: Key Strategies and Best Practices. Overall Strategy: Effectively Managing Risk. Risk Management: Stages and Activities. Overview of Security Controls. Cloud Security Controls Must Meet Your Needs. NIST Definitions for Security Controls. Unclassified Models. Classified Model. The Cloud Security Alliance Approach. The Limits of Security Controls. Security Exposure Will Vary over Time. Exploits Don’t Play Fair. Best Practices for Cloud Computing: First Principals. Best Practices across the Cloud Community. Other Best Practices for Cloud Computing: Cloud Service Consumers. Other Best Practices for Cloud Computing: Cloud Service Providers. Security Monitoring. The Purpose of Security Monitoring. Transforming an Event Stream. The Need for C.I.A. in Security Monitoring. The Opportunity for MaaS. Security Criteria: Building an Internal Cloud. Private Clouds: Motivation and Overview. Security Implications: Shared versus Dedicated Resources. Considerations for Achieving Cost Savings. Private Clouds: The Castle Keep? Analysis to Support Architecture Decisions. Security Criteria for Ensuring a Private Cloud. Network Considerations. Data Center Considerations. Operational Security Considerations. Regulation. Security Criteria: Selecting an External Cloud Provider. Selecting a CSP: Overview of Assurance. Vendor Claims and Independent Verification. Selecting a CSP: Vendor Transparency. Selecting a CSP: Overview of Risks. Risk Will Vary by Customer and by CSP. Assessing Risk Factors. Selecting a CSP: Security Criteria. Security Criteria: Revisiting Defense-in-depth. Security Criteria: Other Considerations. Additional Security-relevant Criteria. Evaluating Cloud Security: An Information Security Framework. Evaluating Cloud Security. Existing Work on Cloud Security Guidance or Frameworks. Checklists for Evaluating Cloud Security. Foundational Security. Business Considerations. Defense-in-depth. Operational Security. Metrics for the Checklists. Operating a Cloud. From Architecture to Efficient and Secure Operations. The Scope of Planning. Physical Access, Security, and Ongoing Costs. Logical and Virtual Access. Personnel Security. From the Physical Environment to the Logical. Bootstrapping Secure Operations. The Refinement of Procedures and Processes over Time. Efficiency and Cost. Security Operations Activities. Server Builds. Business Continuity, Backup, and Recovery. Managing Changes in Operational Environments. Information Security Management. Vulnerability and Penetration Testing. Security Monitoring and Response. Best Practices. Resilience in Operations. Summary. Endnotes. Index.

57 Startup Lessions

Fire people that are difficult, unproductive, unreliable, have no product sense, or aren’t pragmatic. Do it quickly.
Book: Career - Jim Rohn
“Time is our most valuable asset, yet we tend to waste it, kill it, and spend it rather than invest it.”
If you are a product manager – you are not facing the most important challenge of a real product manager (building such a product so great that even a lack of distribution capability doesn’t inhibit its success).

Startup School

I often advise startups that it's better to seek deep appeal, to create something that a few people love, even if most people don't get it right away.
The Technology Note: This is the talk I gave at Startup School Europe, which was held last Saturday in London.
This is the danger of experience. We already know better, we already know that an idea or business won't work.
startup founders.
In 1997, Larry and Sergey tried to sell Google for a million dollars. Fortunately, they were unable to find a buyer.
To be innovative in our work, we need to evade the limitations of established thinking.
Creating an innovative new product often means spending years working on something that most people doubt the value of.
Our days are full of spare moments. Instead of filling them with Flappy Bird or Facebook, take the opportunity to find a calm and clear mind.
Which leads me to pattern number five: Love what you do.
It's less about changing what you do, and more about changing how you do it.

The Art Of Profitability

Read book: Adrian Slywotzky's The Art of Profitability

Keyword & notes listing:
A profitable business, founders, aspiring founders, investors, and employees would find this book valuable and practical. The path to profitability lies in understanding your customer. Different segments of customers want different levels of quality/service and have different abilities to pay. SaaS businesses follow this profit model. Customers can have different price sensitivities for the same item in different contexts. In contexts where assembling a package of related goods and services takes a lot of effort, customers will pay a premium for pre-assembled packages.  In some markets, the path to profit is to produce blockbusters. The movie industry is one such market; the pharmaceutical industry is another one. R&D can be a huge money loser if you are doing research in the wrong areas or in an area not worth researching. It's a shame when someone invests a lot of time and money into developing a product that people don't want. You can improve the effectiveness of R&D by increasing the amount of profit that successful projects produce. This is especially true in software businesses where different product lines can share a lot of code and infrastructure. If you understand a problem better than anyone else, you'll be able to create better products, and customers will pay a premium to work with you. Become a domain expert in a new discipline, then use your expertise to generate profits. Customers who already use your products are a great market for upgrades, add-ons, related products, and so on. One particularly effective business model is to sell products at a low profit margin, then sell add-ons, consumables, upgrades, support plans, and so on at a higher profit margins. Specialty products usually earn much higher margins that commodity products (although not for long). Unique products that serve a small niche can make a ton of money, especially in the absence of competition. Having a near-monopoly is one geographic area can be more profitable than owning a small piece of the market across many locales. If you're competing with a lot of companies for the same location, profits plummet (or go negative). The higher your market share, the more advantages you have in terms of cost structure, distribution, marketing cost per unit, R&D cost per unit, and so on. The biggest player in the market can spread their fixed costs across many more units, which provides the flexibility to decrease prices or increase advertising spend or take other actions that make it even harder for others to compete. Is there a core asset you can repackage into different products? Do customers have different price sensitivities for your product in different markets? Can you sell your product as part of a pre-assembled bundle to save your customers from integration headaches? And so on.

Misc stuff read

"Google: Maintain a healthy disregard for the impossible. "
"How Successful People Stay Calm"
"Emotional Intelligence 2.0"
"Go Lang FAQ - Of course, implementing garbage collection in a concurrent environment is itself a challenge, but meeting it once rather than in every program helps everyone."

Keywords & Topics

Avainsanat kesälukemistoista: identiteetti pilvessä, cloud user identity, identification, trust, confidential, tools, technology, työkalut, välineet, teknologia, työkalut, vaihtoehdot, pin-codes,  users, security, authentication, käyttäjähakemisto, tunnistautumispalvelu pilvessä, microsoft-sovellukset, omat, 3. osapuolen sovellukset, digitaalinen identiteetti, digitaalisen, identity, local, locally, SSAML, WS_Federation, BYOD, federointi, autentikointi, synkronointi, hybridimalli, teknologiset, kustannus, ID, kustannukset, API. www.identityblog.com, veroilmoitus, veroilmoitusta, yksityishenkiö, yksityishenkilön, yksityishenkiöille, veroilmoituksen, verkossa, verovirkailijat, rutiini, täyttäminen, täytä, tuottavuus, tuottavuutta, yksinkertainen, helppokäyttöinen, helppokäyttöistä, helposti, Digia, ALVEU-palvelu, EU, maksuliikenne, maksuliikenteen, maksut, verkkomaksu, verkkomaksaminen, verkossamaksaminen, maksukorttirikos, maksukorttirikosten, torjunta, rikostilanneseuranta, turvallinenmaksaminen, turvallisesti, maksaminen, verkkorikollisuus, verkko, rikos, rikokset, verkossa, PCI DSS (Payment Card Industry Data Security Standard), dataliikenne, data, dataa, luottokortti, luottokortilla, luottokorttien, käsittely, käsitteleminen, transaktio, transaktiot, nettikauppa, nettikaupat, nettikauppaan, nettikaupassa, IP, MAC, ostaminen, ostokset, ostaa, SEPA, EMV, PaySafeCard, wallet, lompakko, NFC, infrastruktuuri, virtuaalilompakko, virtuaalilompakot, bitcoin, verkostoasiantuntija, verkkoasiantuntija, wiki, wikiin, wikillä, wikissä, verkkopalvelu, verkkopalvelussa, wireframe, wireframing, sähköinenhakemus, hakemus sähköisesti, jättäminen, allekirjoitus, allekirjoittaminen, sähköinen, vahvistaa, vahvistus, aineisto, aineistot, aineistoon, aineistojen, rooli, rololissa, viestintä, viestinnässä, viestintää, organisaatiossa, organisaatio, organisaatioiden, tallentaa, tallennus, jakaa, jakaminen, organisoida, organisointi, aineistopankki, aineistopankit, mediapankki, kuvapankki, mediapankissa, kuvapankkiin, skaalautuvuus, skaalautuva, skaalautuminen, skaalattava, automaattinen, automaattisesti, käyttöoikeus, käyttöoikeuksia, käyttöoikeuksien, käyttöoikeudet, turvallinen, turvallisesti, turvallisuus, turva, tietoturva, infosec, comsec, verkkoasiointi, verkkoasioida, verkkoasiointiin, prjektipäällikkö, sitoutuminen, tilaaja, tilaajan edustaminen, edustus, ydinprosessi, ydinprosessit, toimintakäytännöt, toimintokäytäntöjä, toimintakäytäntöjen, määrittely, määrrittäminen, linjaaminen, linjaukset, linja, rajaus, rajata, rajauksella, operatiivisesti, operatiivinen, operoida, operaatioita, ylläpito, ylläpitoprosessi, prosessiuudistus, prosessiuudistuksin, paradigma, paradigmamuutos, tavoitetila, tavoitteet, tahtotila, tahtotilalla, tahtotilan, tavoitetilan, business process re-engineering, heterogeeninen, käyttäjäkunta, asiantuntija, asiantuntijat, ohjausryhmä, ohjausryhmässä, sopimukset, sopimustekninen, sopimusteknisesti, sopimusteknisen, projektihallinto, projektihallinnossa, projektihallinnollisen, päätökset, päätöksenteko, päättäjä, vaatimusmäärittely, vaatimusmäärittelyt, vaatimusmäärittelyyn, vaatimusmäärittelyllä, markkinakartoitus, markkinoiden kartoittaminen, markkinakartoituksella, markkinakartoitukseen, kilpailutus, kilpailuttaminen, kilpailutuksella, kilpailuttaa, tietohallinto, tietohallinyksikkö, tietohallinnossa, tietohallintoon, tarjouspyyntö, tarjouspyyntöön, tarjouspyynnössä, tarjousvertailu, ketterä, ketteriä, täysketterä, täysketteriä, tyytyväiset, tyytyväinen, tyytyväisiä, projektihallinta, project management triangel, tiangle,  rinnakaiskäyttö, rinnakkaiskäyttö, kustannuksia, kustannus, kustannukset, käyttöönotto, tuotantoonotto, tuotannossa, tuotantoon, käyttöönoton, open knowledge, demokratia, tietovarannot, turvallisuus, turvaaminen, avoin, avaaminen, avoimessa, avointa, mallintaminen, mallintaa, mallinnuksessa, mallintamalla, TOGAF, ARIS, IT, devaaja, devata, devaajat, devailu, tiedonlaatu, tiedonlaadun, parantaminen, parantaa, tehostaa, tehostamalla, tehostus, kokonaisarkkitehti, kokonaisarkkitehtuuri, kokonaisarkkitehteja, demo, demojärjestelmä, plug-in, SOA/ESB, modulaarinen, modulaarisuus, verkosto, verkostoitua, verkostossa, verkkomalli, projektijohtaja, projektijohtaminen, tuottavuus, tuottavuutta, innovaatio, innovaatioita, innovoida, innovaatiolla, hajautettu, hajauttaa, hajautetussa, projektiammattilaiset, projektiammattilainen, harrastus, harrastaa, harrastuksena, ketteryys, ketterästi, projektihyödyt, projektin hyödyt, laadunhallinta, teitojärjestelmän hankinta, hankehallinta, kanban, lean, business intelligence, ohjelmistokehitys, riskienhallinta, riskienhallintaan, riskienhallinnalla, riskienhallinnassa, ketterää muutosta, kaizen, markkinatutkimus, markkinatutkimuksessa, markkinatutkimuksen, Scaled Agile Framework, SAFe. kokonaisvaltainen, kokonaisvaltaisesti, kokonaisvaltaisessa, hankesalkku, hankesalkussa, hankesalkkun, hankesalkun, hankkeet, hankkeessa, hanke, hankkeeseen, joukoistaminen, joukkoistettu, joukkoistamalla, Kaikaku, parannus, parannukset, parantaa, parantamalla, systemaattinen, systemaattisesti, systemaattisella, moderni, modernissa, kiihdyttää, kiihdyttämällä, tietoarkkitehtuuri, tietohallintojohtaja, tuottavuusohjelma, analyysi, analysoida, analyysissa, analyysiin, analyysillä, rinnakkaistutkimus, rinnakkaistutkimuksella, rinnaistutkimukseen, rinnakkaistutkimuksessa, tiedustelu, tiedusteltiin, käsitemalli, käsitelmallissa, käsitemalliin, osapuoli, suhde, automatisointi, automatisoinnilla, automatisointiin, automaattisesti, ict2015.fi, palveluarkkitehtuuri, reaaliaikainen talous, avoindata, big data, ekosysteemi, ekosyysteemissä, ekosysteemiin, ekosysteemillä, teollinen, teollisuus, automaatio, ansiorekisteri, ohjelmistotuote, tuotteistaminen, tuotteistaa, tuotteistuksella, tuote, tuotteen elinkaari, elinkaaren, elinkaareen, ALM (Application Lifecycle Management), portfolio, tuotepäällikkö (Product Owner), tuotetiimi, multisite, multivendor, multiproduct, malli, mallissa, malliin, mallilla, self-organizing teams, agile manifest, tilaaminen, tilaamalla, tilaus, toimittaa, toimitus, toimittamalla, toimitukseen, toimituksessa, kumppanuus, kumppanuutta, kumppanuudella, dokumentaatio, dokumentatiolla, dokumentoida, dokumentaatiossa, dokumenaatiota, dokumentointi, vasteaika, palvelulaatu, SLA, vasteajassa, palvelulaadun, palvelulaatuun, palvelulaadulla, vasteaikaa, mitata, mittaaminen, mittaamalla, mittaus, mittauksella, tunnusluvut, tunnusluku, tunnuslukuja, tunnusluvuista, lineaarinen, lineaarisesti, lineaarisella, vaihemalli, vaihemalleilla, vaihemallia, vaihemallissa, vaihemalliin, iteratiivisesti, iteratiiviset, iteratiivisella, iteroida, iteraatio, iteraatioita, tietoturva, tarvekartoitus, tarvekartoituksessa, tarvekartoituksella, testaus, testaamalla, testauksella, testausta, tietoturvataso, tietoturvatasoon, auditonti, auditoidusti, auditoida, tietoturvavaatimukset, tietoturvavaatimuksissa, järjestelmänkehitysprosessi, järjestelmänkehitysprosessit, viranomaismääräykset, arviointikriteerit, arviointikriteeri, viranomaismääräyksiä, käytettävyys, käyttävyyden, käytettävyydellä, käytettävä, kriittisyystaso, kriittisystasoon, suojauutumistaso, suojautuminen, suojautumislella, kriitisyys, kriittiset, kriittinen, kriittisiä, katselmointi, katselmoinnissa, katselmoinnilla, katselmoida, katselmoinnin, koodikirjasto, koodikirjastoon, koodikirjastoa, koodikirjastot, strategia, strategisesti, strategialla, stategiaa, lainsäädännölliset vaatimukset, vaatimuksia, vaatimuksilla, vaatimuksiin, vaatimus, lainsäädäntö, lainsäädäntöä, tiedonohjaus, tiedonohjaussuunnitelma, ohjaussuunnitelma, ohjaussuunnitelmassa, ohjaussuunnitelman, ohjaussuunnitelmaan, käsittelysääntö, käsittelysäännöt, käsittelysääntöjen, käsittelysääntöjä, tietoturva, tietoturvan, suunnittelu, suunnittelemalla, suunnittelussa, suunnittelua, suunnitella, suunnitelmassa, suunnitteluun, järjestelmäkehitysprosessissa, järjestelmäkehitysprosessiin, järjestelmäkehitysprosessia, järjestelmäkehitysprosessilla, järjestelmäkehitysprosesseissa, järjestelmäkehitysprosesseja, käyttöönottotarkastus, testaus, testausvaiheessa, käyttöönotossa, käyttöönotto, käyttöönotettu, ylläpitodokumentaatio, ylläpitodokumentointi, dokumentaation ylläpitäminen, tietoturvatarkastus, tietoturvantarkastaminen, tarkastettu, tarkastamisella, tarkastaa, tietoturvakatselmus, tietoturvakatselmuksessa, tietoturvakatselmukseen, tietoturvakatselmuksiin, tietoturvakatselmuksissa, fyysinen, fyysisessä, fyysisellä, fyysiseen, valvonta, valvontaan, valvonnalla, valvominen, water-scrum-fall, struktuuri, struktuurilla, struktuureissa, stuktuuria, on-demand, kehitysmalli, kehitysmalliin, kehitysmallilla, ICT, systeemityö, systeemityöläinen, systeemityössä, systeemityöhön, yrittäjä, yrittäjyys, startup, yritys, yritykset, yritykseen, yrityksissä,  teknologiateollisuus, teknologia, palveluarkkitehtuuri, palveluarkkitehtuurilla, palveluarkkitehtuurissa, ala, alalla, alalle, alata, työryhmä, työryhmän, työryhmässä, työryhmiin, kasvuyritys, kasvuyritykset, kasvuyritykseen, ohjelmistoyrittäjä, ohjelmistoyritys, ohjelmistoyrittäjäksi, yrityksen perustaminen, ohjelmisto-osaaminen, ohjelmisto-osaamista, ohjelmist-osaamisella, ohjelmistoala, ohjelmistoalall, ohjelmistoyritys, ohjelmistoyritykset, ohjelmistoyrittäjät, liikevaihto, palkkasumma, liikevaihdon, innovaattorit, vientitoimittaja, sektori, sektorilla, tuntityö, tuntityönä, konsultti, konsultointi, konsultointia, konsultoida, konsultteja, asiantuntijapalvelu, asiantuntijapalvelut, asiantuntijapalveluita, osaajat, osaaja, osaajia, konsulttiyritys, konsulttiyrityksen, osaamisen kehittäminen, jatkuva opiskelu, opiskella, kehittää, kehityksen, kehityksessä, itsensä kehittäminen, uudet teknologiat, teknologieoiden, oppiminen, oppimalla, oppiman, konsultti, konsultin, konlsultoida, liiketoiminta, liiketoimintaan, liiketoiminta, liiketoiminnassa, tuntihinta, tuntihinnalla, tuntihintaan, asiantuntija, asiantuntijapalvelu, asiantuntijapalvelut, asiantuntijapalveluita, asiantuntijapalvelua, asiantuntijat, asiauntuntijoita, koodaaja, koodaajia, tuottavuus, tuottavuuden, tuottava, tuottavasti, tehokkuus, tehokkaasti, tehokkuuden, tehokasta,  loppuasiakas, loppuasiakkaalle, loppuasiakkaiden, loppuasiakasta, lopuasiakkaita, asiantuntijayrittäjä, asiantuntijayrittäjyys, asiantuntijayrittäjiä, asiantuntijayrittäjäksi, asiantuntijayrittäjille, markkinointi, markkinoinnin, markkinointia, markkinointiin, markkinoinnilla, yrittäjäura, ura, uralla, uraan, urassa, urani, yrittäjäksi, yrittäjien, yrittäjälle, yrittäjiin, yrittäjät, yrittäjä, internet, internettiin, internetillä, internetissä, nettiin, netissä, netti, trendi, trendit, trendejä, trendiin, markkina, markkinat, markkinoille, markkinoiden, aikataulu, aikataulutus, aikatauluttaminen, aikataulussa, aikataulujen, aikatauluja, palvelu, palvelut, palveluiden, palveluita, haaste, haasteita, haasteisiin, vastata, vastaaminen, tarttua, tarttuminen, mikroyritys, mikroyrittämienn, yksinyrittäjä, yksinyrittäminen, self-employed, konsulttina, riippumaton, riippumattomasti, riippumattomuus, transaktioanalyyysi, vuorovaikutustaidot, vuorovaikutus, vuorovaiktuksessa, vuorovaikutukseen, laaduvarmistus, laadunvarmistaminen, laadunvarmistamiseen, laadunvarmistamisella, testauksella, testaukseen, jalkauttaminen, jalkautettu, jalkautus, tuotevalikoima, tuotevalikoimaan, tuotevalikoimassa, tuotevalikoiman, toteutustyö, toteutustyötä, toteutustyöllä, totetuttaminen, toteuttaa, toteutettu, toteuttaminen, työsuhde, työsuhteeseen, työsuhteessa, työsuhteella, vakuutukset, vakuuttaminen, vakuutuksilla, eläkemaksut, eläkemaksujen, kustannukset, mainonta, mainontaan, kustannuksia, kustannuksella, kustannukseen, kustantamiseen, hinnoittelumalli, hinnoittelumallit, hinnoittelumalliin, kilpailutilanne, kilpailijat, markkinat, markkinoiden, verkostoituminen, verkostot, verostossa, verkostoon, tietojenkäsittely, tietojenkäsittelyyn, tietojenkäsittelyllä, tietojenkäsittelyssä, korkealuokkainen, korkealuokkaista, korkealuokkaisia, epävarmuus, epävarmuuteen, eriskinotto, riskinotolla, riskienhallinta, riskit, riskejä, parvityö, parveistaminen, parveen, parvea, parvella, työn organisointi, organisoimalla, organisointiin, teknologiaa, teknologialla, teknologioita, teknologia, organisaatiossa, organisaatiolla, organisaatioon, yhteiskehittelytuotanto, co-configuration production, tiimit, tiimiin, tiimissä, tiimillä, solmutyöskentely (knotworking9, parveutuminen (swarming), parvimaiset mallit (swarm-like patterns), matriisiorganisaatio, horisontaalinen, horisontaalisesti, horisontaalisessa, hierarkisia, hierarkisesti, hierarkia, hiearkisilla, kehittäjäryhmä, kehttämisryhmä, kehittäjäryhmään, kehittämisryhmään, joustava, joustavasti, joustavuus, joustavalla, vaatimukseen, vaatimukset, vaatimusten, vaatimuksia, asiakasohjautuva, asiakasohjautuvilla, asiakasohjautuvuus, asiakastiimi, asiakastiimiin, asiakastiimeihin, asiakastiimillä, asiakastiimejä, parvityötä, itseorganisoituva, itseorganisoituvassa, itseorganisoituvaan, itsenorganisoituvissa, itseorganisoituvalla, työryhmä, työryhmillä, työryhmiä, työryhmään, intressi, intressejä, intresseihin, intressiin, mikrotasking, mikrotaskaaja, yrittäjyys, Suomi, Suomessa, Suomeen, Suomalainen, Suomalaisia, tapahtumia, tapahtumaan, tapahtumassa, coworking, asenneilmapiiri, asenneilmapiiriin, kansainvälinen, kansainvälistä, kansainvälisesti, ongelmia, ongelmien, ongelman, ongelmat, ongelmasta, ongelmaan, ratkaisu, ratkaista, ratkaisuja, ratkaistu, ratkaisemalla, yrittäjyyttä, innovointiin, innovaattori, yrittäjälähtöinen, yrittäjähenkinen, yrittäjälähtöisesti, yrittäjähenkisesti, projektityöskentely, projektityöskentelyyn, projektityöskentelyssä, projektityöskentelyä, softalan, softala, softalla, softalaan, MVP (Minimum Viable Product), nopeasti, nopea, tietojärjestelmätyö, tietojärjestelmätyötä, tietojärjestelmätyöhön, tietojärjestelmätyöllä, yritysyhteistyö, yritysyhteistyötä, yritysyhteistyöhön, projektit, vaativa, vaativat, vaativiin, käyttöohjeet, käyttökoulutus, käyttökouluttaminen, käyttökoulutusta, käyttöohjeita, toiminnanohjaus, toiminnanohjauksella, toiminnanohjaukseen, toiminnanohjausta, liiketoimintasuunnitlema, liiketoimintasuunnitelman, liiketoimintasuunnitelmassa, toimitusprosessi, toimitusprosessit, toimitusprosessia, toimitusprosesseita, toimitusprosessiin, järjestelmä, järjestelmät, järjestelmiin, järjestelmiä, järestelmää, toimeksiantaja, toimeksiantajan, toimeksiantajat, toimeksiantajien, ansaintalogiikka, ansaintalogiikkaa, tulos, tulokseen, tuloksellisesti, tuloksella, tuloksiin, tulosta, hautomo, hautomossa, ansaintalogiikalla, ansaintalogiikoiden, rahoitus, rahoittaminen, rahoitusta, rahoittamista, kansainvälinen, kansainvälisesti, kansainvälisiin, kainsainväliselle, avoin tieto, avoin informaatio, avoin data, lukutaito, tietopolitiikka, tietopolitiikkaa, tietokulttuuria, tietokulttuuri, tietokulttuurilla, tietoarkkitehtuuri, tietoarkkitehtuurilla, tietoarkkitehtuuriin, tietokulttuuriin, koneluottavuus, koneluettava, oikeellisuus, oikeellisuuden, oikeellisuutta, laatu, laadukasta, laatua, luotettava, luotettavasti, luotettavuus, luottamuksellisuus, ajantasaisesti, ajantasaisuus, ajantasaista, ymmärrettävyys, ymmärrettävästi, ymmärrettävä, havainnollisuus, havainnollistaminen, havainnollisesti, havainnollinen, tietorakenne, tietorakenteet, tietorakenteella, tietorakenteisiin, tietorakenteeseen, tietorakenteita, käyttöliittymässä, käyttöliittymään, käyttöliittymiä, käyttöliittymällä, käsitteet, käsitteitä, käsitteestä, käsitteiden, metatieto, metatiedot, metatietojen, metatietoja, löytyvyys, löydettävyys, löydettävä, löytäminen, yhteentoimivuus, yhteentoimiva, yhteentoimivat, yhteentoimivien, yhteentoimivuudella, yhteentoimivilla, yhteentoimivassa, dataluettelo, dataluetteloissa, dataluetteloiden, dataluetteloita, hakupalvelu, hakupalvelulla, hakupalveluihin, hakupalvelussa, hakupalveluiuita, hakupalveluista, hakupalveluun, laintaäädännössä, lainsäädäntö, lainsäädäntöön, lainsäädännöllä, tietosuoja, tietosujasta, tietosuojan, tietosujaan, tieoturvallisuus, tietosuojattu, tietoturvallinen, tietoturvalliseen, tietoturvattu, tietoturvallisuuteen, pääsyllä, pääsyyn, pääsy, saatava, saatavuuteen, saatavuus, saatavuudella, maksuttomuus, ilmainen, ilmaiseksi, ilmaisella, maksaminen, maksuttomuudella, maksamisella, maksamiseen, maksuttomuuteen, koneluettavuus, koneluettavasti, koneluettavuudella, koneluettavaksi, käyttöehdot, käyttöehto, käyttöehtoihin, käyttöehdoilla, henkilöstökulut, henkilöstökulujen, henkilöstökuluihin, tiedon, tiedolla, tietoihin, tietoon, tietoja, julkisesti, julkinen, julkisuus, koneluettavassa, sisältöjä, sisältö, sisältöön, sisältöä, budjetti, budjetointi, budjetissa, budjettiin, mobiilipalvelu, mobiilipalvelut, mobiilipalvelussa, mobiilipalveluita, mobiilipalveluun, suunnitelmallisesti, suunnitelma, suunnittelu, sunnittelulla, suunnitelmassa, suunnittelussa, tietosuojasta, yksityisyys, yksityisesti, yksityinen, tietovarannot, tietovarantoon, tietovarannossa, tietovarannoissa, tietovarannosta, tietoaineisto, tietoaineistoja, tietoaineistoon, tietoaineistojen, tietoaineistoa, datasetti, datasettiä, datasettinä, datasettiin, datasetistä, datasettejä, algoritmi, algoritmit, algoritmilla, Apps4Finland, XBRL (eXtensible Business Reporting Language), standardi, standardointi, standardilla, standardiin, standardeja, standardeihin, verkkolaskut, verkkolaskutus, verkkolaskuun, verkkolaskujen, Finvoice, e-Lasku, verkkopankki, verkkopankissa, veronumero, FKL, JHS-sanasto, koodistot, käsitemallit, tietomallit, rajapintakuvaukset, YSR, ydintieto, ydintietoa, ydintiedolla, ydintietoon, ydintiedosta, Apotti, potilasturvallisuus, käyttäjäkunta, käyttäjäkunnan, käyttäjäkunnassa, käyttäjäkuntaan, käyttäjäkunnalla, tavoitetila, tavoitetilaan, tavoitetilassa, tavoitetilalla, valmisjärjestelmä, valmisjärjestelmällä, valmisjärjestelmiin, räätälöinti, räätälöidä, räätälöinnillä, räätälöity, räätälöidään, palvelukokemus, palvelukokemukseen, palvelukokemuksesta, palvelukokemukseella, palvelukokemusta, kansallinen palveluväylä, vahva tunnistautuminen, palveluväylällä, palveuväylään, kansallisesti, Suomalainen, Suomessa, KanTa, eResepti, Mobiilivarmenne, Katso, Sote, informaatio-ohjaus, valiokunta, valiokuntaan, valiokunnssa, JulkiCT, https://wiki.julkict.fi/, operatiiviselle, operatiivisesti, operatiiviseen, operatiivinen, toimintaympäristö, toimintaympäristön, toimintaympäristössä, toimintaympäristöön, soveltuvuus, soveltuva, soveltuu, soveltuvat, siiloutunut, siiloutunutta, siiloutuminen, siiloituvat, siiloutuneen, siiloitumista, rakenneuudistus, rakenneuudistuksella, rakenneuudistukseen, rakenneuudistaminen, ominaisuus, ominaisuuksilla, ominaisuuden, ominaisuuksien, ominaisuuteen, ominaisuudella, ominaisuudet, ominaisuuksiin, X-väyläkeskus, rajapinta, rajapintaan, rajapinnalla, rajapintojen, rajapinnoissa, rajapintoja, rajapintoihin, eKatselu, pilotti, pilottiin, pilotissa, pilotilla, pilotteja, pilottien, sertifioitu, sertifiointi, sertifioituprosessi, sertifikaattiprosessi, tietokanta, tietokantaan, tietokannassa, tietokantojen, tietokannalla, tietokannat, tietokantojen, tupas, valvira, sektori, sektorilla, sektorista, sektoreita, sektoriin, sektoreittain, biometrinen tunnistaminen, tunnistus, tunnistimet, tietojärjestelmät, tietojärjestelmä, tietojärjestelmällä, tietojärjestelmään, tietojärjestelmien, tietojärjestelmässä, tietojärjestelmistä, tietojärjestelmän, paperiton, paperittomasti, paperittomalla, idea, ideoita, ideoista, ideointi, ideoidaan, ideat, idealla, ideasta, ideaksi, järjestelmäsuunnittelija, palaute, palautetta, palautteen, palautteeseen, utopia, utopistinen, utopiaan, layout, tietokone, tietokonetta, tietokoneella, tietokoneeseen, mobiili, mobiilisti, mobile, mobiililla, mobiiliin, tabletti, tabletilla, tablettiin, tabletissa, konaisuus, kokonaisuuksien, kokonaisuuden, kokonaisuuteen, kokonaisuudella, tietojenvaihto, tietojenvaihtoon, tietojenvaihdossa, tietojenvaihdolla, tietojenvaihtoa, turvaaminen, turvattu, turvaamisella, turvaattuun, reaaliaikainen, reaaliaikaisesti, reaaliaikaisella, reaaliaikaisessa, tietovirta, tietovirtojen, tietovirtaa, tietovirrassa, tietovirtoja, turhiin, turasta, turhuus, turhalla, mittava, mittavissa, mittavaan, mittavien, käytettävyystavoitteet, käytettävyystavoitteeseen, substanssi, substanssilla, substanssien, potentiaali, potentiaalinen, potentiaalisesti, potentiaalilla, valmisjärjestelmä, valmisjärjestelmät, valmisjärjestelmällä, valmisjärjestelmiin, valmisjärjestelmien, räätälöimällä, perusratkaisu, perusratkaisut, perusratkaisuun, perusratkaisulla, perusratkaisusta, perusratkaisujen, käytettävyystestaus, käytettävyystestauksella, käytettävyystestaukseen, käytettävyystestausta, substanssien, avoin, avointa, avoimella, avoimesta, avoimiin, lähdekoodi, lähdekoodia, lähdekoodilla, lähdekoodiin, perustuu, perustua, perustuvalla, perustuvaan, pilvipalvelu, pilvipalvelut, pilvipalveluun, pilvipalvelulla, pilvipalvelujen, pilvipalveluista, pilvipalveluja, pilvipalvelin, pilvipalvelimiin, pilvipalvelimista, pilvipalvelimella, pilvipalvelinta, datajoukkoa, datajoukko, datajoukkoon, datajoukkojen, datajoukkoja, valtava, valtavat, valtavien, datalle, dataan, dastasta, FLOSS, CC BY, salakirjoittaa, salakirjoituksella, salakirjoituksessa, salakirjoitetaan, salataan, salausavain, salausavainten, salausavaimien, salausavaimet, kryptataan, kryptata, kryptaus, kryptattu.

And that's not even all. ;)

Sorry, I didn't ', '.join(set(post.split(','))) this post, but I could have to avoid possible dupes.

Good workers? Working Remote, Telecommuting?

posted Sep 17, 2014, 8:43 AM by Sami Lehtinen   [ updated Sep 17, 2014, 8:49 AM ]

Thinking about remote work? Well, are you a good worker in first place? Are you ...

Action oriented autonomous

Meaning that if no task is defined, you'll be still working on something valuable to the project. There are always things to explore and improve, even if nobody especially says so.
Prioritization: In case of conficting tasks or no tasks at all, you'll have to decide what it's worth of doing first and what should be done later.

Efficient Communication

Because remote teams communicate over email, chats, etc. Are you proficient communicator? It's very easy to notice that many people are very bad remote workers. They don't ask what to do nor they'll provide sufficient or any information about what they're planning to do and even more importantly what they have done so far.

Trustworthy and Diciplined

If nobody can trust you, then you're bad worker. Many say that non trustworthy workers shouldn't be hired in first place or they should be fired immediately. If worker is so bad, that you have to monitor things so you can trust anything is getting done, it's better not to employ that worker at all.

Motivation & Self-actualization

They enjoy different challenges and solving problems.

Required Information

Provide enough background information for tasks. Prioritization is impossible unless enough is known about th problem to make efficient decisions. Same applies to scope of taks, without proper scoping it's possible to get bare bones (shoddy kludge) or feature creep (They might need these features at some point in the future) problems depending from situation. Like in cases, when there's tons of other important tasks to do versus situations when there doesn't seem to be anything to do at all.

My personal experience

I've been doing this kind of stuff since 1992, programming and project management over IRC / email globally with distant members whom I haven't ever met. As we I've been managing out sourced developer teams at Winpos. I know how to make remote work to work, as well as know the issues which will grind everything to halt for sure.

Also see: Wikipedia Telecommuting

kw: remote, remotely, work, working, workers, telecommuting, telecommute, telework, teleworking, telecommuter, teleworker, nomad workers, telecommuters,

Finished reading Service oriented Architecture (SoA) book

posted Sep 17, 2014, 8:30 AM by Sami Lehtinen   [ updated Sep 17, 2014, 8:30 AM ]

Finished reading: Service-oriented architecture (SOA) book

Compact keyword list:
software design and software architecture design pattern, providing application functionality, service-orientation, vendor, product or technology, independent, software applications, Design concept, Web Services Description Language (WSDL), SOAP (originally Simple Object Access Protocol), metadata, catalogue, autodiscovery, reasonable expenditure of cost and effort. Granularity of services, processing overhead, easy reuse. Access independent services without knowledge of the service's platform implementation. Business Process Layer, Services, Service Components, Operational Systems. Layers: Consumer Interface Layer, Integration Layer, Quality of Service, Informational, Governance, each service is built as a discrete piece of code. Design principles,deploy SOA services in different implementation languages; well-defined interface, integrate widely disparate applications, well-defined, shared format, concepts of distributed computing and modular programming, promoting reuse. SaaS, and cloud computing service-description documents. Service loose coupling. Minimizes dependencies, Service abstraction, Service reusability, promoting reuse. Service autonomy, Service statelessness, Service discoverability, Service composability, Service granularity, Service normalization, Service optimization, Service encapsulation, Location transparency, Service-orientation design paradigm, composition-centric. Service composition, Service Abstraction, service inventory. Blueprint, Service-oriented enterprise architecture, technological resources, wrappers around existing legacy systems to make them network-enabled. Service provider, trade-offs between security and easy availability, Universal Description Discovery and Integration (UDDI), ebXML (Electronic Business using eXtensible Markup Language), ISO/IEC 11179 Metadata Registry (MDR), Service consumer, Service-Oriented Modeling Framework (SOMF). Independent of the underlying platform and programming language. The interface definition hides the implementation of the language-specific service. SOA-based systems can therefore function independently of development technologies and platforms. Wrap COBOL legacy systems and present them as software services. This has extended the useful life of many core legacy systems indefinitely, no matter what language they originally used. Service Object-Oriented Architecture (SOOA), Service Protocol Oriented Architecture (SPOA), Service interfaces, Communication protocol, Bind operation. Service concept, Business services, Service development scheme. Project plan, OASIS defines SOA as the following: A paradigm for organizing and utilizing distributed capabilities that may be under the control of different ownership domains. It provides a uniform means to offer, discover, interact with and use capabilities to produce desired effects consistent with measurable preconditions and expectations. Business-oriented infrastructure. Well-defined, highly inter-operable interfaces. Maximize reuse of services. Stand-alone unit of functionality, formally defined interface. The coordinated work of subordinate services. Abstraction Autonomy Composability Discoverability Formal contract Loose coupling Reusability Statelessness, tested as a 'black box'. Out-of-scope services, regression test documentation, SOA Governance, horizontal trust, business Motivation Model (BMM). Security models, application-managed security, change management governance, shortage of skilled people, services infrastructure. Interoperability SOA implementations. Developed basic profile (BP) and basic security profile (BSP) to enforce compatibility. Services conform to WS-I profile guidelines. Reliable Secure Profile. Exaggerated expectations. System architecture and design. Do a poor job of introducing SOA concepts to a business with the result that SOA remains misunderstood within that business. Appropriate support structure, service-level obligations, Business units, Corporate incentives, SaaS monetization architecture. Require more processing power, increasing costs. Overheads, Scalability, Shared context, Transaction, Security, Contingency for additional proof-of-concept work. A service delivery platform (SDP), business information models, identity management, products, content, devices, and the end-user service characteristics, agile, vendor community, Business value over technical strategy Strategic goals over project-specific benefits Intrinsic interoperability over custom integration Shared services over specific-purpose implementations Flexibility over optimization Evolutionary refinement over pursuit of initial perfection. Web 2.0, RESTful web APIs, mashups, integrated user experience, service-oriented business applications (SOBAs). Philosophy of encapsulating application logic in services, defined interface, publicly available, discovery mechanisms. Complexity-hiding, technologies used in real-world applications. Use-cases demonstrated the potential of combining technologies and principles of both Web 2.0 and SOA. "Internet of Services", novel business models, and approaches, digital nervous system, Zero Latency Enterprise.

Yep, this isn't my own text. This is just compact keyword dump about the stuff I've been reading lately.

7-zip MS .cab file handling bug?

posted Sep 17, 2014, 8:29 AM by Sami Lehtinen   [ updated Sep 17, 2014, 8:31 AM ]

It seems that 7-zip fails when handling larger .cab files, but so does MS makecab.exe as well.

I created a few , extracted and generally wondered internals of .cab files. Because I received one cab file, which can be expanded successfully with expand.exe. But when I try to create similar cab file, I'll get error message: "ERROR: (FCIAddFile)Data-size or file-count exceeded CAB format limits" as well as 7-zip says the cab file is invalid after extracting about 30% of it. That's very strange. All this started when I received ~1.5 GB cab file containing about ~2.8GB file and 7-zip refused to extract it.

When compressing that extracted file with makecab.exe error occures at: " 77.02% - raw=2,147,450,880  compressed=1,133,243,115". Just as expected when using 32 bit signed addresses. I do personally wonder what's the point of using signed addressing.

I have already asked how how they created it in the first palce. It might be possible that MS SQL Server is able to create .cab files which do contain larger than 2GB files, and it seems pretty likely at this point. I also verified that the file extracted with expand.exe does seem to contain valid data to the end of file, which makes this case even stranger. 7-Zip extracted file is exactly the same size, but as said earlier, it's end 2/3 of file size is full of zeros.

Why I tried to create similar file? Well, I just wanted to know if it's 7-Zip bug when handling large .cab files or if there's something else wrong with it. Unfortunately the file I'm talking about, does contain confidential database, so I can't share the original file. I'll hope there will be some kind of resolution for this question.

Details:
Compressed size: 1,461,158 KB (Smaller than 2GB)
Original size: 2,788,312 KB (Larger than 2GB)

Compressed file magic number: MSCF
Uncompressed file magic number: TAPE

Anyway the CAB file specification says that maximum file size is 2GB, so how it's possible that I just extracted successfully a larger file? Microsoft got some non-standard MS only kludges in place?
Maybe they got something like 'append', so it can contain 64K * 2GB files, which are simply appended when extracting?

Wikipedia: CAB

Netvisor API, Default accounts, Passwords, EDRi, EFF, New TLDs, Windows 8.1 hibernate

posted Aug 20, 2014, 9:05 AM by Sami Lehtinen   [ updated Aug 20, 2014, 9:09 AM ]

  • Studied Netvisor Web Service REST API for system integration. As well as checked out Netvisor Python API Wrapper by Fast Monkeys
  • Once again wondered information security issues. Lack of access controls, data stored indefinitely, etc. But in some cases, it's result of lack of processes. In some other cases, it's done by design. I guess this topic is so boring, people working in this field know it's never ending task.
  • In one audit, 25% of database servers facing public internet, were using default administrator credentials. I don't know if I really got words for it. Maybe best word to decribe that would be, normal?
  • Support EDRi, it's protecting digital freedom world wide. Don't forget the Electronic Frontier Foundation EFF. If you live in Finland, there's also Electronic Frontier Finland EFFI.
  • New domain names are messing up things in some companies, which have been using invalid addressing internally. That's no news, it was known a long time before the address registrations started. Nothing new. I guess I should register .local and then install credentials snapping honey pot there. The main problem is that in some organizations they forget to use the local. So if there's server called guru and there's tld .guru, which one should you open? Solution is simple, the local guru should be guru.example.com or guru.local. One way to is fix issue by automatically always appending the company domain instead of using local. So plain guru becomes always guru.example.com. I'm just wondering why this 'problem' is again in the news.
  • Wondered where has hibernate gone, it seems that MS isn't allowing it anymore with Windows 8.1. This means that battery life of all Windows devices is going to be absolutely dismal. New InstantGo mode sucks life out of battery in no time. Microsoft claims that it's better way, I think it's absolute failure. Enabling hibernate is made hard for professionals and practically impossible for normal users. Web is absolutely full of disinformation about this matter. There are tons of instructions that are invalid or do not work at all. After all, it seems that the hibernate has been permanently removed from options when system is InstantGo capable. I really hate it when some thinks are broken on purpose and designed to make life harder for people. - Based on my previous post, is this sabotage on purpose, or just an accident?
  • One password audit gave following results. Total failure 47%, Bad / Weak 10%, Acceptable / Ok / Normal 35% and finally perfect strong passwords 8%. Total failure is something like 5 small letters / numbers, users own first name. Bad / Weak, is name+birth year something about 6-7 characters. Acceptable level is 8-10 characters with special characters and enough entropy. Perfect passwords are 10+ and nearly fully random. I would say, that the resuts were what I expected and not any kind of surprise. Analysis was run on database containing about 800 user accounts. Every password was rated by person. Something like Password123 does not count as strong password. But (Zh3nW3$fP does.

1-10 of 179