My personal blog about stuff I do, like and I'am interested in. If you have any questions, feel free to mail me!
[ Full list of blog posts
- Studied LiFi networks. There's nothing that would
prevent it being used from today on. It's just all about maturing of
markets. Basically all core of the core Internet already runs on light
technology, it's not just used for the last hop. This also nicely
reminds me from IRDA.
- Wondered again how slow some USB sticks can be. It's clear that mounting, file handling and unmounting is much faster when using exfat with those. But for extended disk operations ntfs seems to be faster, but I guess that's only due to some kind of write caching. So if you dismount the drive often, it's not faster, then it's slower.
- Finished reading Finnish entrepreneur / business guide. "Opas yrittäjyyteen"
- UTF8, Unicode. I was kind of hoping that we could get rid of character set issues for ever when Unicode was introduced, but it seems that hope was completely vain. I'm encountering character set issues weekly, even if UTF-8 is being used. Here's example about the issues with MySQL.
- Studied: Space division multiple access (SDMA)
- Quite nice post, why Python runs so slow. I think this is very informative for the n00bs I've been writing often about. The guys, who are programmers, but don't know anything about computers or software.(lol) Well, there's positive and negative things on everything. I've been very happy with Python so far. I'm very aware about the overhead and I know how to deal with if and when required. So far, I haven't had any problems. When I design programs, I acknowledge overhead of certain data structures and avoid those if I think it would be a problem. Gladly servers got usually plenty of excess resources, so 'wasting' some of it for faster and more reliable development isn't a problem. I've also run into traps at times, when trying to optimize something, making it really complex mess to understand and maintain. It's faster, but it's very hard to grasp how it works. That's usually bad optimization choice.
- Watched TrustyCon 2014 video. (TrustyCon site) Excellent stuff.
- Checked out Mobile IP (MIPvMobile IP (MIPv6).
- Forrester lists APIs and integration as one of the Top Technology Trends for 2014. I've been doing system integration for over 15 years and I haven't been ever busier. A lot of real time integrations are made all the time with BI, CRM, ERP, Invoicing, bookkeeing, accounting, etc. systems. I'm currently working on several projects in parallel. They also listed cloud and mobile technology, trust and identity management rethinking, software defined networks (SDN) and software defined data center (SDDC) which isn't any kind of surprise for sure.
I'm not going to mention any details, but let's just say that this made me smile: "Many firms have cloud strategies and mobile strategies, but the report
makes the point that the benefits of the cloud will be limited by the
speed with which traditional applications are re-written to take
advantage of cloud. Without this redesign, benefits will be limited."
- IPv6 Matrix, quite cool world map showing IPv6 adoption world wide.
- Some things should be simple, but aren't. This is excellent question, if xml tags should be closed or not in HTML. Well, of course... Or maybe not. Find it out, and read the article: To close, or not to close.
- Checked out IT as a Service ITaaS and Software Defined Storage SDS.
- WhatsApp got really great scalability on their backend & server side.
- What Big Data knows about you - and how to keep your info safe nothing new, at all. But it's good to remind about this every now and then.
- IPv6 dual stack requires only marginally more resources. Because IPv6 code
is already there, additional resources required to actually utilize it
are marginally in current computing power terms. So if you're worried
that your server runs out of resources because you enable IPv6, you
really shouldn't be too worried. It seems that many forget that
IPv6 is already 20 years old thing. I personally think that when IPv6
makes it mainstream, IPv4 networks will be after certain point going
down the slope quite quickly. Because what now hinders IPv6, will be
reverse true when supporting something old like IPv4. Of course there
will be some systems running it nearly forever. But it'll be very small
percentage. I'm sure you'll find DOS, Windows 3.11 and Windows'95
computers still from somewhere. But it's not the main point. Nobody
creates new software for Windows 3.11 anymore. So at some point IPv4
will be practically abandoned except just a very few cases.
Of course there are some legacy hardware, which barely is able to run
IPv4 and NAT and those won't allow adding IPv6 due hardware resource
reasons. Nor it's likely that their manufacturer will anyway provide any
firmware updates. It might happen if there's fatal exploit in firmware,
or they'll simply say that it's better to replace those devices in that
situation. But usually cost of replacing that stuff isn't so huge.
Things like old el-cheapo home routers, etc. Those are replaced every
now and then for other reasons too, like transitioning from ADSL to
ADSL2 and ADSL2+, VDSL, VDSL2, etc. It's possible that someone is still
using routers with 10 megabit coaxial cable, it's quite unlikely and
it's high time to replace those anyway. Btw. Does someone still use 10
megabit hubs (not switches!), I haven't seen those in a while.
I believe it'll take something like a decade. But at certain point, it happens what
has happened before and developers don't want to bother them with IPv4
anymore and therefore it gets abandoned. Just like we see now software
which doesn't work with Windows XP even if it's still widely used. As
well as some web sites won't work properly with IE6.
similar thing has always happened when new Windows has been released.
First everyone says that the new version it crap, we don't want to use it. And after a few
years, everybody is wondering if someone is still using the old version.
I thought everyone was saying that the "new" version is crap, why they're then using it?
Btw. Google's IPv6 utilization grew from 2% to 3% just in 5 months. Trend is right.
- XML vs JSON? Who cares. That's why I usually provide both options, because it's so trivial. On request basis you can tell if you're using XML or JSON. It's so trivial. For some legacy systems I also some times provide TSV option, where data fields are dumped without keys or headers and tab separated. You might not want to believe it, but there are still developers using old systems which do not support JSON or XML and addind that support would be nightmare for them. So it's easier to provide as simple as possible data format.
- Layer 7 DDoS - Ha, nothing new. It seems that someone else has been playing with this stuff too. Even CloudFlare doesn't protect from it.
- Nice article, Everything you need to know about SIM cards. Just bit very light in technical details. But I liked the sticker SIM card concept. I haven't seen ever one, but yeah. That's just basically MitM attacking SIM card interface beween phone and SIM and modifying messages on the fly.
- Added SQL-Antipatterns-Avoiding-the-Pitfalls-of-Database-Programming to my Kindle.
- Added IPv6 validated certificate to my web page. Everything seems to be working well. Here's some IPv6 measurements & statistics.
- Let's see when first Li-Fi devices come to market. It provides totally different method of wireless communication. Which also means that base stations have to be basically everywhere. But we're already going into this direction with nano cells etc. Where cell range can be 10-20 meters only.
- Well, I assume everyone has seen this already. But in case you haven't. It's worth of checking out. I think it shows great attitude. How hackers can get things done. I'm sure it won't impress designers of SAR or future 5G or Massive MIMO radio engineers. But it's still darn great combination of hardware, programming, analysis and finding out how things are done utilizing reverse engineering / hacking.
My journey into FM-RDS [30c3] Don't forget to check Oona's blog.
- Watched [30c3] Backdoors, Government Hacking and The Next Crypto Wars
- Python Idioms (PDF) really nice compact document with examples about Python idioms. Which I just love. Only thing I really miss, is case / switch statements, but well, elif works too.
- A nice Python WiFi (WLAN) Jammer written in Python. It detects clients and sents deauth packets.
- This is DRACO, it's incredible anti-virus technology, well, for humans. If it works, it's really amazing development. It's interesting to see, if this kind of development will save us in the world where traditional antibiotics won't work anymore.
- The Stupidity of Computers, an excellent post about challenges realated to Artificial Intelligence, Data Analytics, Data Classification, Metadata, natural language processing, structured data, etc.
- A nice post about basic stuff like securing databases with PostgreSQL.
- Studied OpenComputer Project Spec & Designs
- Interactive SICP - A must read for every programmer
- Checked out interesting quantitative mutual investment fund in Finland, HCP Quant (in Finnish). It's investment policy does make change, and it can be efficient, as long as it's not too large.
- Studied latest version of Hypertext Transport Protocol 2. On thing is sure, HTTP/2 is going to be so complex, that it's not trivial to implement anymore. This will lead to situation like with other complex protocols and technologies, that there are going to be just few implementations which will be reliable, full featured and widely used. If you're not using one of those, you're probably in trouble. This complexity and using possibly non-mainstream implementations, will lead to security and interoperability issues for sure. Flow control, streams, multiplexing, priorities, continuation, header field ordering, cookie compression, server push, protocol upgrading, connect method, HTTP header compression, stream state, etc. Well, it's nice to get a way to ping all HTTP/2 sites, using HTTP2 PING (0x6) frame, TLS1.2 requirement, GZip compression.
Here's some fresh stuff, from last week or so.
- How much memory is enough? It seems that you should have about as much
memory as you have storage space available on the system. Or maybe not?.
Kept a very long and detailed presentation about modern operating system
memory management. It seems that there are still way too many
engineers, who simply do not understand how memory is managed. They
though that because all server memory is being used, they should always
add more memory to server. They kept wondering how all memory can be
used even if server got 128 gigs of ram. Well well, of course it's used,
as disk cache. It would be simply silly, not to use all available
memory. I wonder how it's possible that people don't get this in 2014,
because OS/2 was doing all the same stuff in 1987, so it shouldn't be
any kind of news. Another silly and absolutely incorrect thought is that
swap usage would indicate that system is running out of memory. No it
isn't. Simply the memory pages which aren't used, are moved to the swap
and newly available RAM is used for something more useful, like disk
cache. This is really simple concept and everything is about memory
optimization. But it seems that (early) 1980s thinking is stuck hard
with some Administrators.
People also complain that system is slow, when they start using it (UI),
after it hasn't been used for a week or so. Of course it is, UI should
have be swapped out, because it hasn't been needed for one week. There
is more important stuff to use memory for. Btw. OS/2 Warp did this
- Planned to make Windows XP installation image with Finnish and English languages, and all possible updates pre-installed. Using WSUS and WUD. I'm kind of hoping, that this tool won't be ever needed. But as we all know, it's practically needed sooner or later. I just wonder what will happen to XP activation service, does it start to accept any license key, or reject every key? If every key is rejected, it might be a problem. But I assume nobody's going to sue me, if I use cracked Windows XP, because I still got valid licenses for every system. Just the activation part (and Genuine Advantage, lol) is skipped.
- Great example how much little tinkering with SQL queries can actually
affect the performance. I'm sure everyone here got similar experiences,
so practically this shouldn't be any news to anyone of us. And additional article about SQL query planner. Of course little data denormalization (materlialized views) can lead to even bigger performance gains very easily.
- Added NIST: Guidelines for the Secure Deployment of IPv6 to Kindle. I'll be reading it next. I have read it earlier, but these kind of documents require rereading every now and then. This is also really recommended reading: SANS InfoSec: A Complete Guide on IPv6 Attack and Defense. This short slide show is also related, Security in an IPv6 world myth vs reality.
- As you can notice, I also dropped _target=blank from my blog links. It's not required anymore in 2014.
- Need True Random Number Generator (TRNG), this Araneus Alea I is nice and isn't too expensive either.
- A nice guide to Python performance analysis and profiling.
- Played a little with Fusion-io ioDrive2 Duo PCIe Enterprise SSD drive. It delivers really nice performance on read & writes. Excellent for intensive database applications, which require high performance and reliability. Throughput easily 2GB/s+ read/write and 500k+ IOPS.
- Experimented with Microsoft Azure. Works well. I just don't like the 'Windows license tax', because Linux instances are much cheaper to run than Windows instances on Azure. Storage I/O performance wasn't great either, except on cache device. One interesting thing to notice was also the fact, that connections to Azure North Europe are about 15 ms slower, than connections to Azure West Europe. I thought that Finland is Northern Europe. Anyway, Northern Europe in this case means London region in UK and Western Europe means Amsterdam region in Netherlands. I'm still curious why they won't provide easy RDS SALs via the Azure portal. I'm looking forward into this matter. Also one thing to consider depending on the application being server is that the round trip latency is about 40-60 ms higher than if services would be hosted in Finland.
Some stuff about Azure:
I'm lookin for DaaS (Desktop as a Service) multi-tenant RDS solution (remote Desktop
Serices Session Host), not multiple VDI hosts with single user / Windows
installation, which wastes a ton of resources. I would say that VDI
solution uses in our case about 10x more resources, compared to RDS
solution. So from economic point of view, VDI is absolutely out of the
I just dislike the fact that Microsoft Azure doesn't offer RDS SAL
licensed directly, and forces to work with slow and complex SPLA deals.
I'm currently acquiring RDS CALs via SPLA distributor, and I don't like
the process at all. It has been getting better, but it's still
complicated, slow and error prone.
What I would like to see, is one slider in Azure, where I can just
select, that this server should support 100 concurrent RDS users. Also
licensing models / user / device, are really out dated for cloud
environments. It should be N concurrent users, not these pre specified
devices or users, which only complicates the process in environments
where users come and go as well as devices are replaced all the time.
There are a few 3rd party applications, which nicely allow to circumvent
these Microsoft restrictions. Of course it means breaking the license
terms, but it's a lot easier and also very much cheaper alternative. I
have also been exploring those just out of curiosity. Unfortunately for
Microsoft these solutions seem to work very well, and as mentioned,
economic impact is huge. As long as nobody knows that these products are
used, it's a great option. And end users do not need to know, how the
RDS services are produced.
That's also one of the reasons I would like to get the licenses directly
from Microsoft, so it would be cheap, and simple. But now they're just
over complicating this thing.
Anyway. I'm still asking if anyone got any practical experience, how
much users are impacted by the additional 50ms latency. And if not, then
I'll simply have to launch a few test servers in London to see what the
practical impact is. That can be easily arranged.
If I wouldn't be so unhappy with the current RDS CALs SPLA licensing
model, I wouldn't actually be considering Azure at all. I just were
hoping, that it would provide better service / license integration.
Because on every other aspect, we're very happy with our current service
provider, which also provides under 1ms round trip latencies for us.
- Thank you
- It's great that someone is willing to publish results about hard drive reliability. Backblaze - What hard drive should I buy? Without hard data, these discussions are always endless. I have one drive that has been working for 10 years, and then I had one drive that failed in three months. Statistically absolutely meaningless conversation.
- Checked out new stuff in Linux 3.13 kernel:
1.2. nftables, the successor of iptables
This is nice and interesting, new packet filteration and processing
layer. I'll need to install it to one of test servers.
Video talk about nftables: http://youtu.be/P58CCi5Hhl4
Project page and utility source code:
1.6. Improved performance in NUMA systems
This is especially good on Virtualization (Hosts). Because in those
cases memory and CPUs are clearly segmented and NUMA can help a lot
comprared to traditional SMP.
Recommended LWN article: NUMA scheduling progress
- Which was actually a very nice read.
1.10. TCP Fast Open enabled by default
Nice improvement. https://en.wikipedia.org/wiki/TCP_Fast_Open
1.11. NFC payments support
This is something I personally find very interesting. Except similar
things have been done earlier without any kernel support. Have to check
separately if this got any practical meaning.
6. Btrfs commit mount option
Now it's finally there. I was wondering why it disappeared with btrfs
when ext4 got it. I have been utilizing very high commit times with ext4
and on temp disks disabled journaling and barriers completely. If system
crashes badly with that configuration, it's just best to format whole
temp partition and restart the task.
Aww. It seems that I managed to block about only one weeks worth of stuff. My backlog is growing again at alarming rate. But that's all for now folks.
Lately I have been thinking a lot about SaaS concept and required automation. Here's some thoughts.
- Server deployment (provisioning) in cloud (Easy)
- Server configuration, securing it on basic level (Easy)
- Generic software installation
- Generic software configuration
- Specialized per customer software installation
- Specialized per customer software configuration
- Different software (automatic, if even possible) license management issues
- Per customer multi-tenant configuration deployment (on demand)
- Secure and easy access right management (Very important and not so easy!)
- Efficient and secure customer data and resource isolation. (Absolutely no clear weaknesses or shortcuts allowed. My major focus point.)
- Payment tracking
- Integration with user account management
- Self-service portal usability, clarity and reliability
- Centralized control system for servers
- Centralized control system for installed applications
- Centralized control system for customer instances (data)
- Secure API-key based standardized integration APIs for all data, allowing 'automated' 3rd party integration via self service control panel
- Automated off-site backups with long term rollback feature (already implemented and done)
As you can see, I've been doing some light planning and testing. But as we know, it's not very easy to get all that to work reliably and fully automatically. But full automation is still absolute requirement for reliability, because doing all those complex steps manually, is guaranteed recipe for disaster and major trouble. Some times I just wish that architecture would be simpler, so number of required steps could be radically reduced, like using Google App Engine, or Azure PaaS platforms. But currently that just isn't the way to go.
Major benefit from this is that multi-tenant installations provide huge cost savings when producing services. Instead of running several hundreds of small single customer instances, it's possible to just run a few beefy servers. This also helps on the four first steps of the list. Because number of servers is highly reduced, it might be possible to do four first steps manually.
If you're interested about these topics, feel free to contact me.
Studied whole white paper of Cryptographic Camouflage
Proceedings of the 1999 IEEE Symposium on Security and Privacy.
Copyright © 1999 by The Institute of Electrical and Electronic
Engineers, Inc. All rights reserved. Software Smart Cards via
Here's my reply, because original message which I replied to is in closed forum, I'm unfortunately unable to quote it.
liked that cryptographic camouflage. I hope I'm not breaking your
patent when I'm storing my own passwords temporarily on some medium
which I don't perfectly trust.
What I do? I'll take my password
and encrypt using some quite simple method and chosen password? What
that isn't secure, anyone can crack it. No they can't, if my password
would be originally plain text, it would be easy to take
original_password and XOR it with temp_password. But because now the
original_password is totally random, even xoring it with short
temp_password in ECB mode is enough. Because decryption with any key,
result is still random, and there's no way to know when you have
correctly decrypted the password. Of course I use something else than
XOR because binary operations aren't handy on paper, but Vigenère cipher
is easy to use, and you can add layers of transposition,
fractionationing or chaffing and winnowing. These methods are all usable
on paper, and algorithms are easy to memorize. Just if you want to make
it extra secure. So, my final question is if password FBVOctJwPYlU
correctly decoded or not? ;)
This is just exactly the same
methodology you're using with crypto camouflage to hide keys. It's nice
that someone granted a patent for such a simple trick. Basically
everything that is required, is encoding data so that it's information
density grows to a such level, that all bits do matter, and basically
causes any result to be valid.
Btw. I wrote this before reading the paper. Now I'll read it. And let's see how close I got to the implementation.
paper looks good, until 2.2. Where they say "Conceal the public key and
don't use it to encrypt verifiable plaintext", this could be a major
problem.' So basically all messages encrypted should be
cryptographically random binary nonces and public key needs to kept
2.4. Was quite iffy too, but basic point is that if the device is already compromised on software level, they can get the key.
TEE they directly can't do that, but they still can probably scam the
user to sign falsified information and signature request, because
application software controls the device display.
that's nice way to store PKI keys securely on device, so that having the
device / it's data storage won't reveal the private key and doesn't
require too high encryption key entropy (aka too long key to be typed
But isn't that just bit over complicated? Because using the
method which I mentioned above. You could basically do the same. I have a
random (symmetric) private key which is encrypted with my PIN. Then
challenge nonce is hashed with this private key. Result is same, and the
output response to challenge is random and wrong, if the PIN wasn't
correct. Only way to know if it was wrong, is to submit it to the server
which sent the challenge and see what the end result is. This is a
simple method which is used with countless different service REST APIs
etc. Only drawback of this much simpler approach is that the server has
to know the key for verification purposes, because it's symmetric
Both of these methods are completely
non-secure, if mobile device has been compromised on OS level. They can
steal the key, when it's unencrypted or they can steal the key and PIN
when key is being accessed.
- Thank you. It was a good read and a
little brain teaser. It was what I expected it to be, and there was a
good analysis of different attack vectors.
- Throughly studied Mobile ID Authentication including APPLICATION GUIDELINE FOR ETSI’S MSS STANDARDS and Certificate & Authentication Policy (in Finnish)
I basically like concept of mobile auth & sign. But there are a few questions. Even if the trusted execution environment (TEE) software and it's secrets would be 100% secure, there's another problem, which is the actual device accessing the TEE module. How well the interaction between user and TEE is protected on OS level? What if device is rooted, what if it's operating system is backdoored? Are they still sure that this concept works flawlessly. If there isn't additional information about this protection, I would assume, it's not going to work and it is therefore inherently hackable. That's why having 100% separate hardware for authentication & message signing would be much more secure approach. Possibly continued discussion @ Google+.
- I really like Kan Ban, because. Starting projects and tasks which you
won't finish, just consumes resources and therefore prevents other
projects and tasks from getting finished. I have been very aware about this. Being
highly selective on projects which you even start is simply being
smart. - This is my opinion after a long discussion about having and starting a multiple tasks which you won't be able to ever finish.
- Building a safe NFC ticketing system.
- Strong passwords policy?
Tapiola bank: "Salasanan pitää olla 6-8 merkin pituinen, se ei saa sisältää erikoismerkkejä eikä Å-, Ä- tai Ö-kirjaimia. Salasanan täytyy koostua kirjaimista ja numeroista, kahta samaa merkkiä ei saa esiintyä salasanassa peräkkäin. Salasana ei saa olla sama kuin käyttäjätunnus. "
S-Pankki bank: "Salasanan tulee koostua 4-6 numerosta. Verkkopankki ei hyväksy
pelkästään samoista tai peräkkäisistä numeroista koostuvia
numerosarjoja, kuten esim. 1111 tai 123456."
S-Pankki is saying, that password must be 4-6 digits, but must not contain a series like 1111 or 123456. But main point is that password is limited to maximum of 6 numbers. That's great. Not.
- Studied Bit rot, Soft error, Data corruption, Software brittleness, Disk rot, Harddisk error rates, Advanced format, Triple modular redundancy, Nothing new, but I know from experience that many people totally ignore there problems.
- Reminded my self about Technological Singularity, Strong AI, Accelerating Change, Artificial Consciousness including Consciousness in Digital Computers (Awareness, Learning, Anticipation, Subjective experience)
- Shortly played with Scrapy, web site data scraper for one project which needs to collect data from web sites. Because it's non commercial play project, I don't want to pay for expensive API fees because they offer same data for free on web.
- Is encryption ready for consumer use? Why it wouldn't?
"Why is this encryption question so hot topic?
Correctly done encryption is totally or nearly seamless, it isn't a
problem. You're using LinkedIn over HTTPS hopefully as well as Skype is
encrypted, your mobile phone's air interface is encrypted etc. So when
encryption is done right, you don't even notice it. Same applies to
You can configure mail servers to take care of mail encryption, clients
hopefully already use only encrypted connections at this point. Or if
you want end-to-end encryption, you can use GPG, and just select that
contacts which you have public key for, automatically encrypts messages.
It wouldn't be a big step, to automatically fetch those public keys,
but current (my) client app just doesn't do that yet. All these issues
are easily solvable.
Technology is totally ready, it's just if people care enough to start
using it. Often only reason for not using encryption is, that I don't
care, and current solution works just fine. Btw. Outlook and Gmail also
encrypt email by default, as well as does my own (and my friends
- Loyalty program discussion:
"Actually several businesses have been planning
to implement loyalty system. But usually at that point I turn my
consulting mode on, instead of blindly selling them something. And ask
what's the gain? Of course I can invoice you a lot for this system. But
what do you gain and your customers gain from this system?
Usually after a few hours of talking, they decide to decline the need
for loyalty system. Of course I would be really happy to provide one, if
they can tell what the real benefits are. But often it seems that there
aren't too many, or those are actually too hard to exploit or utilize.
So even if they would successfully collect the data, so what? If it's
not used for anything meaningful it's also pointless to collect it.
I think Lidl in Finland got absolutely great loyalty system. They just
provide cheap prices and you'll save 15-30% on instantly. You don't need
to wait for months to get great 5% cash-back. "
- About temporary data storage, journaling, data persistence etc.
"I also checked out the ZODB, yes, it might be good for temporary
storage. But as main database it isn't a good option as far as I did
read. It doesn't handle possible crashes properly. If you use SQLite3 as
temporary storage, it's a good idea to disable journaling. But
otherwise disabling journaling leads to corruption after a crash / fail.
It's important to remember that tuning persistence parameters can
drastically improve or lower performance. That's one of the reasons why
people say that Riak is so fast, it doesn't persist data on transaction.
Which is in other environments absolutely required. Based on this you
can also enable write-back caching and disable journaling on temporary
disk volumes. If crash happens, just reformat whole volume and discard
all temporary data. In that case journaling and (proper) committing only
radically lowers performance."
- Still few more CCC videos, like: The Database Nation aka The State Of Surveillance in India, Electronic Bank Robberies,
- Studied Software Defined Perimeter (SDP) (PDF) documentation from CSA.
- Do everything you can not to attach your self esteem to your startup (you’ll fail, but try anyway).
- Work in such a way that when the dust settles you can be proud of the choices you’ve made, regardless of the outcome.
- Here is one example of an ironic piece of waste: Sam Leffler's
graphics/libtiff is one of the 122 packages on the road to www/firefox,
yet the resulting Firefox browser does not render TIFF images. For
reasons I have not tried to uncover, 10 of the 122 packages need Perl
and seven need Python; one of them, devel/glib20, needs both languages
for reasons I cannot even imagine.
- Unixen—something that would take just a single flag to the ld(1)
command—the Peter Principle was applied and made it libtool's job
instead. The Peter Principle is indeed strong in this case—the source
code for devel/libtool weighs in at 414,740 lines. Half that line count
is test cases, which in principle is commendable, but in practice it is
just the Peter Principle at work: the tests elaborately explore the
functionality of the complex solution for a problem that should not
exist in the first place. Even more maddening is that 31,085 of those
lines are in a single unreadably ugly shell script called configure. The
idea is that the configure script performs approximately 200 automated
tests, so that the user is not burdened with configuring libtool
- This paper explores Tor’s vulnerability to traffic correlation attack
- Onion routing is vulnerable to an adversary who can monitor a user’s traffic as it enters and leaves the anonymity network
- Work by Murdoch and Danezis show that traffic correlation attack scan be done quite efficiently against Tor .
HTML5 vs Native
- If you have a unique service, e.g. a specialized enterprise app, HTML5
could be ideal, a convenient way to build quickly and portably. But if
you want your user experience to really excel, native is still king –
MongoDB (Kristina Chodorow)
- “MongoDB: The Definitive Guide by Kristina Chodorow and Michael Dirolf
(O’Reilly). Copyright 2010 Kristina Chodorow and Michael Dirolf,
978-1-449-38156-1.” - Whole book read, not many high lights becaue it's hard to find those things that especially should stand out from from this kind of large documentation. Generally indexing, cursors, queries, arrays, collections, backups, dumping and restoring, sharding, error handling, autosharding, shardkeys, schema, object mapping, etc.
- named blog.posts and a separate collection named blog.authors. This is
for organizational purposes only—there is no relationship between the
blog collection (it doesn’t even have to exist) and its “children.”
- "Internet Engineering Task Force (IETF) Phillip Hallam-Baker
Internet-Draft Comodo Group Inc. Intended Status: Standards Track
September 11, 2013 Expires: March 15, 2014 PRISM-Proof Security"
- Second there is currently no infrastructure for determining that an SMTP
service offers STARTTLS support or to validate the credentials
presented by the remote server.
- At present Internet communications are typically sent in the clear
unless there is a particular confidentiality concern in which case
techniques that resist active attack are employed. A better approach
would be to always use encryption that resists passive attack,
recognizing that some applications also require resistance to active
The Phantom Protocol
- "The Phantom Protocol Version: 0.82 2011-05-24 1(68) White Paper:"
- After all, this might not happen at all (especially judging from the
(un)success rate of various attackers trying to disrupt miscellaneous
controversial distributed networks on the Internet to this date).
- Theoretically Secure Anonymization
- Known Weaknesses In this section, some of the known weaknesses and
avenues of attacking the protocol will be presented and summarized.
Remote (Jason Fried)
- If you ask people where they go when they really need to get work done,
very few will respond “the office.” If they do say the office, they’ll
include a qualifier such as “super early in the morning before anyone
gets in” or “I stay late at night after everyone’s left” or “I sneak in
on the weekend.”
- Don’t believe us? Ask around. Or ask yourself: Where do you go when you
really have to get work done? Your answer won’t be “the office in the
- Is that overpriced apartment, the motorized sardine box, and your
cubicle really worth it still? Increasingly, we believe that for many
people the answer will be no.
- Every day this kind of remote work works, and no one considers it
risky, reckless, or irresponsible. So why do so many of these same
companies that trust “outsiders” to do their critical work have such a
hard time trusting “insiders” to work from home?
- A stuffed backlog is a stale backlog.
- That’s just it—if you can’t let your employees work from home out of
fear they’ll slack off without your supervision, you’re a babysitter,
not a manager.
- In talking to a project manager without tech chops, programmers can
make a thirty-minute job sound like a week-long polar expedition,
- If you treat remote workers like second-class citizens, you’re all going to have a bad time.
- There’s also the annoyance of having every debate end with “John and I
talked about this in the office yesterday and decided that your idea
isn’t going to work.” F**k that.
- When New York City’s subway system was plagued by crime and vandalism in
the 1990s, New York’s Police Commissioner William Bratton forced his
commanders to use the subway. When they saw with their own eyes how bad
things were, change soon followed.
- If the company is full of people whom nobody trusts to make decisions
without layers of managerial review, then the company is full of the
- The fact is, it’s easy to turn work into your predominant hobby.
- The only reliable way to muster motivation is by encouraging people to work on the stuff they like and care about,
Software Defined Perimeter
- "CLOUD SECURITY ALLIANCE Software Defined Perimeter, December 2013"
- SDP mitigates the most common network-based attacks, including: server scanning, denial of service, SQL injection, OS & application vulnerability exploits, password cracking, man-in-the-middle, cross-site scripting (XSS), cross-site request forgery (CSRF), pass-the-hash, pass-the-ticket, and many others (see NIST, SANS, and more).
That's all highlights from my Kindle so far. But I'm sure there will be more. I'm now using 1-2 hours daily to read more stuff.
- Studied: Gecko: Contention-Oblivious Disk Arrays for Cloud Storage video (Increased virtualization leads to increased seeks and kills performance). Because the video I watched a few days ago was so good, that I really had to read the paper too. I really liked, their design and analysis. Also the final test results were quite impressive.
- Studied Intel RdRand (aka Bull Mountain), and how it's being utilized in Linux kernel.
- Studied several articles including this one about VDI and boot storms caused by Windows updates occurring on all virtual machines at the same time. Nothing new, but it was a nice article. As well as things mentioned about memory ballooning during boot storms.
- CCC.de videos: HbbTV Security, Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware, Security of the IC Backside, Lasers in space, Y U NO ISP, taking back the net, Europe, the USA and Identity Ecosystems.
- Wondered new features included in Android 4.3 version. Because now it was actually released by Samsung for phones. It seems that new Android releases are used & delivered quite slowly to devices.
- Troubleshooted choppy USB-Mouse on Xubuntu platform. For some reason it seems that mouse events are getting lost when system is heavily loaded, on CPU side or swapping etc.
- Gave away bunch of old (3 years) XP computers to local Linux association. Those computers with 2 gigs of ram and dual core Pentium processors work just fine with Lubuntu or as servers without GU / Desktop.
- Nice blog post about playing with HTML5 localStorage, even if' not very advanced use of it.
- Nice post about SSL/TLS and it's current state. Aka TLS Survey.
- Jugaad, made me really laugh. But hey, I have to be honest. I'm good at it. Thing X needs to be done with very limited resource, I'll get it done. Yes, for sure I'm cutting some corners to get what's required done. But usually it works out just fine. Maybe it isn't elegant or high-tech solution, but it simply does what's required. Quickly, cheaply and efficiently.
Some examples are situations where there are two systems communicating with each other, both got stuff hard coded, and then some update breaks the interoperability. Both teams managing their integrations are stubborn and otherwise hard to get any fix delivered quickly. What will I do? Well, I'll write simple message proxy, which fixes the problem. It's not perfect solution, it's a hack, but it just works out. System is again in production, and it might take half an year, or be ridiculously expensive to get official fix to either of the integration partner softwares.
In one case, we were already delivering data X to Y, but then there was requirement to also send the same data to Z. Engineers said, that it's impossible, it's so complex and hard. We have only one transmission flag in database, etc. Blah blah. I did just what I did with the previous project. I added a proxy, with own database. Now it stores the messages, and forwards those asynchronously to two different destinations. Doesn't add much delay, guarantees retransmissions in case of temporary failure, and maintains queues separately for Y and Z. Wasn't hard at all, and at least it wasn't nearly impossible as engineers said. A hack, yet another layers, yes, but works out beautifully.
- Played with isapi-wsgi. But after all, the integration APIs being used are so low traffic anyway, that I'll probably use traditional CGI. Not a perfect solution, but very simple solution + easy to configure and undestand. Yet it doesn't really make any difference in this situation.
- For one service, which is real time user service and therefore latency critical. I made a prepared denormalizated data set, and now queries run at least 100x faster.
- There's something strange with Ultra Defrag. Quick optimize and full optimize totally hangs
on CPU, and practically nothing happens. Running full optimization would take a very long time. Even if I
got only about 20000 files on system. I think there has to be some kind of problem with the algorithm they're
using. One factor which might be affecting it, is usage of NTFS
compression, but it really shouldn't affect it. As well as all other defraggers run just fine with that disk / file system.
- Read a bit of MS documentation: Remote Desktop Services Overview, What's New in Remote Desktop Services
in Windows Server 2012 R2, Test Lab Guide: Virtual Desktop
Infrastructure Quick Start, Test Lab Guide: Remote Desktop Services
Session Virtualization Quick Start, Test Lab Guide: Remote Desktop
Services Session Virtualization Standard Deployment, Test Lab Guide:
Remote Desktop Services Publishing, Test Lab Guide: Remote Desktop
Services Licensing, Windows Server 2012 Capacity Planning for VDI White
Paper - All can be found from MS VDI page, virtual desktop infrastructure ( VDI ) solution. Also see: RDS as DaaS replacement.
- Modern operating systems and SWAP. I sometimes love to put things in "other words", so it's easier to understand what it's all about.
Using swap doesn't mean that you're running out of memory. It means that it's more efficient to actually use ram than keep it reserved for things that aren't used. Just like you maintain your home. Why you got stuff in cellar or at attic? Why you don't have everything in middle of living room? That's right. There are programs which reserver potentially a lot of ram, but do not actually use it. As well as there are things like disk cache, which can potentially utilize as much memory as you have disk space on your system. So it makes sense to literally SWAP. You'll put in the cellar the stuff that has been 2 months in your living room and your friend is going to pick it up tomorrow. And you'll get the baby or dog supplies from attict and bring those hallway. Now space is more efficiently utilized, even if you really didn't exactly run out of space before that.
- Studied Python 3.4b2 release notes. Interesting parts are pip and asyncio. + Feature freeze.
- The Pirate Bay is building again distributed solution, but not yet fully distributed. This is actually quite interesting hybrid solution. So it's distributing fixed version of the site, which is cached locally and can be updated easily. I wonder how search functions etc, will work with this solution, or if it's more like fixed version. If it's more like fixed version, then Freenet would have been as good solution. Good thing about this solution is, that it can be used to distribute also other sites than TPB. Which currently hide in Tor, I2P or Freenet land. I'm not just sure, if it's security is anonymous enough. I assume it doesn't provide proper anonymity from the information I have read this far about the project.
What I still would have liked to see, is fully distributed TPB client solution, which runs locally, updates data using DHT and communicates with other clients. Secures data with PKI signatures, etc. So it could be just like the TPB web-site, but completely written as distributed client.
- Can you outsource your IT? Great question, it's also a good point what is considered to be outsourcing.
Outsourcing and outsourcing, using subcontractors etc, it's great overall question. Why you're outsourcing your operating system? Can't you built one in house? It's always just question of efficiency
and scale and benefits versus problems. We have seen this in many many projects, why so many mobile operating systems are based on Linux kernel? They're outsoursing their kernel development. Can't they build one themselves? In the light of the NSA stuff, it's really great question. Do you really trust the firewall, network equipment, operating system and hardware manufacturers? Or should you do that stuff also in house. Is it any different it you run the Exchange 'in house' dedicated hardware server or in the 'private' or 'public' cloud? Anytime there can be remote accessable backdoor or even if there isn't, next software update can deploy those. And if you hastily build system in house, it's probably just even worse by security standards. Though decisions.
- About Python Threads vs Processes: Well, it depends what is best solution. Threading can consume a lot less resources on I/O intensive tasks with large number of threads. Also cross thread communication is much lighter than cross process. But as we all know, there's the GIL which makes multiprocessing essential when utilizing CPU. That's why I don't even consider using threading with ETL tasks.
- Wondered again horrible mobile pages, which are absolutely crappy. Many sites forward users to wrong destination. So if I try to access example.com/page-a, then there's pop-up asking if I want to use mobile version. Yeah why not. Why, why, why, they then redirect me to m.example.com/ I just lost reference to the article I was going to read. So poor usability, it's horrible. Had also a few discussions about the topic in UbuntuForums & Google+.
- Studied TCP-32764 backdoor case. Interesting stuff, does *hardware* firewall make your networks safe? - Noup.
- The year 2013 in crypto slides (PDF).
- Finished reading Remote. I'll blog a few highlights bit later in separate post.
- Digital Ocean seems to fail in isolating client data properly. - Thats bad, and things like that give bad reputation to all cloud services. I have been seriously considering moving my private server to Digital Ocean, but maybe it's not a such great idea after all.
- Secure Erase isn't so secure always. Those in high-risk, high-sensitivity situations should assume that a
“secure-erase” of a card is insufficient to guarantee the complete
erasure of sensitive data. Therefore, it’s recommended to dispose of
memory cards through total physical destruction (e.g., grind it up with
a mortar and pestle).
- Studied GNU Name System (GNS) and video.
- Checked out HEVC, Daala and VP9 video codes on basic level.
- Studied concept of Parallel Construction. It's neat. They can use what ever information they have. Nothing new yet.
- Funny article about Can do versus Can't do culture. It seems that historically it's not good idea to reject new concepts and technologies.
- Watched many USENIX FAST'13 Technical Sessions like: Keynote, SSD reliability under power fault, Caching, Fast File System Checker (How thinking how things should be done, can make things more efficient by order of magnitude!), Memory Efficient Sanitization and Deduplication of Data, HARDFS, Horus. Deduplication, File Recipe Compression, Virtual Machine Workloads and NAS performance, Improving Chunk Based backup restore speed (It would be nice if Duplicati would utilize this technique), ZIP or not, real-time compression, SSD Error Correction Codes, Performance Improvements and Measurements, A Study of Linux File System Evolution, Workload-Independed Storage using VT-Trees, Warming Up Stroage-Level Caches with Bonfire, Unioning of the Buffer Cache and Journaling Layers with Non-volatile Memory, Write Policies for host-die Flash Caches.
These are really high quality and easy to understand talks and recommended watching for every IT person. At least there was good stuff to watch for several days, instead of watching some mindless junk from TV.
- Really old stories: In one customer case, we talked about using virtual server from customers private cloud. Well, it turned out that getting VPS from Private Cloud would take about three weeks. So what did we do? We just went to shop and bought power work station and used it. Problem solved under two hours, instead of three weeks. So? Is it faster to get physical or cloud services? It depends, all benefits of private cloud can be hindered totally by complex and slow policies and processes.
- Really old stories: Once whens installing software in one data center from CD+RW disk I caused quite a panic with their IT staff. What did I do? Well, I tried to run my application as Administrator from CD+RW disk. And got message "Program too big to fit in memory". They went berserk. They thought that the binary was virus infected now now their network would get infected from inside. But I knew what the problem was. It wasn't my binary that was broken, it wasn't the disk. But it was the Compaq server CD-ROM drive. I don't really know what's wrong with those. But I have seen in many occasions the same problem, those drives do corrupt data. It's clear that there's something wrong with the CD error correction. Well, in this case, the disk I brought was first fully scanned for viruses, many servers were checked, firewall monitoring & logs were checked. Nothing was found, obviously. After I used another CD-drive to read the files and saved those to server using it, everything worked as usual. Btw. I did encounter this exact problem with at least Compaq servers. So I guess those got similar and buggy CD-drive firmware.
- Have you encountered enrageingly crappy mobile sites? I know a few
Finnish news sites which mobile implementation is especially bad. First
major mistake is that if I'm browsing news on desktop, then I'll open
the same article url with my mobile, it asks if I want to open a mobile
version. Well, then I answer yes. But then the front page of the site
opens in mobile mode. Why on earth, they don't open the news article I
was originally trying to visit? Instead they ruined my user experience
by offering mobile version of the site.