Blog

My personal blog about stuff I do, like and I'am interested in. If you have any questions, feel free to mail me! My views and opinions are naturally my own and do not represent anyone else or other organizations.

[ Full list of blog posts ]

SPA, QUICK, 6rd, REST, Slush 2014, Cables, Just a Hobby Project

posted Nov 23, 2014, 5:03 AM by Sami Lehtinen   [ updated Nov 23, 2014, 5:05 AM ]

Nice post: 7 principles of Single Page Applications (SPA)

Studied QUICK - Which is basically SPDY over UDP. You'll find out reasons and benefits from the documentation.

Studied IPv6 Rapid Deplopyment (6rd). Why? One of the ISP's I'm using is now providing IPv6 addresses using it. This is basically on the lines I were thinking earlier. If ISPs won't provide native IPv6, every operator could still provide their own 6to4 gateway to guarantee service levels. 6rd is basically just that.

Wondered some database administrators best practices which are quite crazy, afaik. What do do if database engine is shutting down too slowly? Well, let's kill the process, delete the journal and restart it. Why we delete the commit journal? Well, because moving committed transactions from journal to database files are slow operations. So if we call normal shutdown or start the system with the uncommitted journal, tasks are slow. It's better to kill the database engine and delete the journal and restart it. This guarantees swift database service restart. - Uh, arf, om(f)g.

Studied: REST best practices. - Quite short and obvious list, if you're been doing this stuff for years.

Thought stuff like digital economy and concept of real-time economy and which are the thinks which are dominate future trading on net. They did talk a lot about this in Slush event too #Slush14.

Watched Mikko Hyppönen's talk at #Slush14 about Internet's future, Startups, security threats, etc. As well as Harri Hursti's talk how many different kind of attacks can be mounted over USB (stick. mobile phones, etc). Basically USB devices can infect or be infected by any other device getting connected. Don't share your USB devices, don't use others USB devices and remember to use USB condom.

Checked out: Arctic Fiber project. - This is great competitor to the ROTACS, which could be routed through Finland. It seems that Russia and Canada are also very interested to getting the cables deployed for multiple political reasons.

Hobby Project: As well as programmed a lot. I'm helping my friends to launch their hobby project. Lot of work, git commits, pushes, pulls, docker containers, virtual servers, etc. Working with JSON, DHT, jQuery, peewee, Python 3, Bottle, Angular, Tornado and coordinating whole project globally with small yet very agile and productive team. I don't know when the project will be ready. Let's say it's 90% ready, so finishing the last 10% will take about 100% more work. Eh, as usual. No really, there are just a few minor show stoppers which make the end user web app usability so bad it's not ready for release. Technically everything on server side is already fully working. Soon, maybe. Technically the project has already been running for two weeks but under wraps, with closed private beta for feedback and testing using mobile devices and browsers on different platforms.

OpenBazaar, Onymous, WorldVu, Telegram, BitCoin, NVM Express, AWS Lambda, ECS, CDN

posted Nov 15, 2014, 10:36 PM by Sami Lehtinen   [ updated Nov 23, 2014, 4:52 AM ]

Shorter entries:

  • Throughly studied OpenBazaar documentation and source code. Also see the marketing site OpenBazaar.org
    It's really painful, many things are so badly named, that it's very hard to find any real patterns without extensive study and testing. Well, I made it. But there's many things to fix. Code also seems to be leaking as well as for some strange reason hangs so that peers can't connect anymore and contracts won't get stored. This means that the process requires frequent restarts. Yay! Otherwise you'll run out of memory, file handles, etc. - As they said, naming things is hard, current terminology is absolutely horrible mess. It took me several hours to figure out some of the basics, because totally different naming conventions are used in separate parts of the program. As well as mixed snake_case and CamelCase even in JSON messages. Some messages (with practically similar content) use lists, some messages use dictionaries for same purposes and so on. As example result message types: store, "store_contract", "peers" (list with dictionaries), "foundNodes" (list with lists). Some parts of documentation use XML, even if program itself only uses JSON, list goes on. Sometimes stuff is called contracts, products, listings or items? And in some cases peers, nodes, markets, stores, pages. Ugh, are we having fun yet? JSON messages got linefeeds \n in middle of data, which need to be stripped (field: PGPPubKey), etc. 
  • Operation Onymous
  • Swedish Visby class corvettes
  • WorldVu Satellite Constellation - Because SpaceX is talking about dense world wide low orbit satellite network
  • Lightly studied Google Container Engine - Seems to be a great solution. I just wonder when OpenBazaar is available so you can easily "drop" your "shop" to any docker hosting. Btw. OpenBazaar project already constains directory with docker stuff, so it's quite clear they have thought about it.
  • Telegram Cryptalysis Analysis. It got great examples what not to do. Also the current $300,000 for Cracking Telegram Encryption contest is quite interesting.
  • A great example, like how Bitcoin DoS protection can actually make you vulnerable by allowing you to connect only to attackers own nodes. 
  • Designing secure P2P networks is really hard, because every decision got it's own pro's and con's which not be clear at all.
  • NVM Express SSD interface
  • Quicky checked out Amazon AWS Lambda and Amazon EC2 Container Service (ECS)
  • CDN services by CDNNetworks - They have really dense network of hubs, even if service seems to be quite unknown compared to other players in the market. It's one of the CDN networks which also cover Africa and South America and China using several hubs.
WebSockets stuff:

GET /ws HTTP/1.1
Host: localhost
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Origin: http://localhost:8888
Sec-WebSocket-Protocol: ws
Sec-WebSocket-Version: 13

Websockets.py (websocket-client-py3 0.10.0) fixed several things which are more or less broken:

Fixed hostport parameter value. Which is sent with Origin header value. Basically removed port number:

if True: # Was: port == 80:

At least Tornado webserver doesn't want to see port number in Host header when using web sockets. This hasn't been fixed in latest version, or maybe it's a bug on Tornado side? Don't know, didn't check, works now. It seems that nonstandard port should be reporetd with Host header. So the fail isn't in websockets.py actually, it's on Tornado(s) side?

1:
        if traceEnabled:
            logger.debug("send: " + repr(data))
2:
        while data:
            l = self.sock.send(data)
            data = data[l:]

Swapped place of 1 and 2, because in original code trace statement was after the while loop, and naturally the data field was empty at that point. It seems that this fail has been fixed in 0.15.0 version of websocket client py3 library. Currently using version 0.21.

.NET, Peewee ORM, Machine Learning, GPG ECC, Neural Networks, Crypto101, OpenBazaar

posted Nov 8, 2014, 9:05 AM by Sami Lehtinen   [ updated Nov 8, 2014, 10:17 AM ]

  • One of the reasons why I hate .NET. Installing .NET on Windows Servers, requires that you'll be running a IIS Web Server on that server. Afaik, that's not a grat way to reduce attack sufrace on servers. All servers are then running publicly reachable vailable web servers with default settings. All this, because .NET installation requires it. - Arf!
  • I guessed someone will do it. I was talking about pure Python version, but here's the Spritz cipher in pure JavaScript @ GitHub spritzjs
  • Selecting non-referenced entries, using Peewee ORM
    It seems that I'm having a hard time doing one kind of data lookups with Peewee ORM.
    Table A contains "id", Table B contains foreignkey fields fk1,fk2...
    How do I find all A's which aren't referenced by B. And what's the most efficient way of doing it? Of course I can pull list of all keys in B and then select from A which not ["in" / "<<"] that set. But that's hardly the smartest way of doing it. It gets horrible, if I got 100k keys. First I'll have to dig up list of 500k keys and then compare those to 100k keys etc. Worst part of this is that I'm actually building a object list, which naturally can't be optimized anymore by the SQL query engine.
    Or maybe I should run 5 separate queries collecting fk1,fk2 and so on and then query where not in set of five lists or make separate or statement for each list. I haven't tried that yet. It would still allow the mess to be optimized by the SQL query engine, because I haven't executed any of those statements separately.
    I've tried many things and joins doesn't seem to work well in cases where there's no foreign key reference. But is there a perfect solution for what I'm asking? Maybe I'm just not figuring out the right mind set, or I'm approaching this case from some kind of weird or restricted angle?
    Yes, and yes. If I would be using pure SQL I could do this easily using left outer join. But in this case I'm not. I'm using Peewee ORM, which sets it's own limitations on joining.
  • Created Google+ Peewee ORM Users Community
  • Interesting article about Machine Learning, Pattern Recognition and Deep Neural Networks
    As we know, results which we get from Big Data and Neural Networks are often true Black Box results. Nobody really knows, why we're getting what we're getting.
  • Read Hacker's guide to Neural Networks
  • Studied Crypto101.io document. I'm glad, it didn't contain anything I that would be new to me. Yes, I don't remember / know all the exact minor details, like exact differences between different pseudorandom generator implementations. But in general, it didn't bring anything new to the table. 
  • Finally GnuPG 2.1 has been released with Elliptic Curve Cryptography (ECC) support! But there aren't any other OpenPGP compatible implementations with ECC features yet out. So ECC keys will have very limited use for a while. When that's delivered with standard ubuntu repositories, I'll generate my new ECC keys using Brainpool P-512 (brainpoolP512r1).
  • OpenBazaar is a distributed online trading platform which also makes it a censorship-resistant marketplace. No fees and everything goes. This is the future as long as I can see. If you see my older posts, I've been wondering why The Pirate Bay (TPB) continues to operate a website. Wouldn't it have been much better to create fully distributed, encrypted, peer to peer network. Where you simply can't track who's sharing and downloading what. Just as Freenet does. But especially designed for peer to peer distribution & potential trading. It could have contained features for digital trading and reputation systems etc. But this is it, basically the same concept, but not tied only to file trading. So in this sense, this is better more generalized solution. 

HTTP/2, AWS, ECDSA, SQLite, ARTS, CloudFlare, Cryptography, Duplicati 2.0, EmailRelay

posted Nov 4, 2014, 7:29 AM by Sami Lehtinen   [ updated Nov 4, 2014, 7:43 AM ]

  • HTTP/2 all the things, great presentation about HTTP/2 - Throughly studied the document and though how it would affect things (Web app / page development) in future.
  • Studied AWS Directory Service - Yet it seems that I most probably don't have any use for it.
  • Played a little with Python-ECDSA library, seems to work and does what it promises. It's a good question if there's any sense of doing crypto in pure python, because it's slow. But on the otherhand, it's also ultimately portable. So if python runs, libs work too. There has been so namy problems on different platforms with libraries which include C parts or dependant on other already included in OS libraries. This library doesn't provide encryption, but it can be easily used for strong authentication. It was also exceptionally easy to use. I don't have a strong use case for this particular library. But it was fun to toy with it.
    It's actually quite similar what I would do if I would create that Spritz library. Limited use, pure python, but can be handy in some special cases. As well as you'll really learn the internals of things, when writing the implementation yourself.
  • Tried to play with PyFiglet, but didn't work out easily enough. Maybe I'll retry bit later, but this is just the reason why I like versatile generic pure Python implementation, so it works always and everywhere. Things which are only thin Python wrappers for something which requires much more work to get working, isn't always too fun.
  • Had some fun with SQLiteCipher. Yet I don't see it in my case very useful. If you have full access to the system with the database, you can usually read the source code and the encryption keys being used also. So it's more or less classical failure of "data is encrypted". Yes it is, but keys are way too easily available. Also it naturally provides no protection against SQL Injections etc.
  • Studied ARTS XML Digital Receipt Charter v 2.0  Links [ 1, 2 ] - Didn't provide anything at all what I wouldn't have known already.
  • Toyed with Python Web Apps. One interesting solution to replace Nginx in front of uWSGI is to use CloudFlare as the front end server. It can globally distribute all static content with long cache TTL and only dynamic content is served from primary uWSGI server. This is quite excellent solution for small sites with light servers. Also checked situation of uWSGI and HTTP/2, seemed quite messy. Well, maybe one day there will be a solution.
  • "Making sure crypto stays insecure" by Daniel J. Bernstein. Super interesting presentation about how systems are designed to be and stay insecure on purpose.
  • Studied and tested Duplicati 2.0 Storage Engine - Storage format description [PDF] - Google+ Discussion
    Quote:
    "I'm just wondering if Duplicati guys have though about creating a Duplicati server. What? Server? Yes, I don't now mean the service, or 'backup server'. But I do mean server with custom protocol? Why? What's the benefit? Well, the befit is that the server module can compact storage space without retransmitting data over network. That's exactly what some data transfer methods are much more efficient than others, but those usually require custom software at both ends. I'm personally running the servers creating the backups, as well as the server (at another location) which stores the backup data. Using this kind of solution would save a lot of bandwidth.
    Quickly it sounds like it would use more bandwidth and disk space. But of course it depends from your settings. In my case I'm currently saving 3 full backups and daily incrementals. So it would quite surely save me quite a lot of bandwidth.
    But based on this, as soon as stable version is released I'll have to upgrade systems to use it. I'll also really love the new command-line. I'm currently using GUI version on Windows servers and command-line (Duplicity) only on Linux, because it was immediately obvious that the old command-line was so complex that average Windows Administartor simply can't handle it.
    I've also always loved Duplicati's Trust No One (TNO) design, where all cloud stored data is strongly encrypted."
  • Configured EmailRelay - What did I just write about parameters and Windows admins? Yeah, here's another enjoyable task. EmailRelay parameter reference. It didn't take too long to configure it, but I guess it would have still been hard for most Windows admins. It seems that some ISPs are dropping support for SMTP, just as they did drop their own NNTP and IRC servers a long time ago. So, if you want to run mail server, you're out of luck. Many ISPs also block TCP/25 aka SMTP-port and so on. Solution was tu run emailrelay on site, which got MTA and allows it to be used. I just used alternate port, mandatory STARTTLS and strong login credentials to authenticate user. Problem solved. Now email can be easily delivered from almost any place without making it hard for anyone. I also pre-generated list of 10k email credentials, so nobody needs to be bothered with creating new accounts for a while.

Facebook & Tor, Spritz, Python, TextSecure, Mobile users, Software testing, IoT

posted Nov 2, 2014, 8:24 AM by Sami Lehtinen   [ updated Nov 2, 2014, 8:24 AM ]

  • Using Facebook anonymously via Tor, is quite sure failure. Site is designed to spy on you. So everything they do, is total absolute opposite of what's required for private, secure and anonymous communication. Their plan sounds more like a honey pot for clueless people. So you might get illusion of privacy, but it's almost guaranteed that you won't really get it.
  • This is just what we have been expecting. This shouldn't shock anyone. This is simply the shape of things to come. Your television is spying on you and that's not a joke.
  • Spritz is a great stream cipher which can be used as RC4 replacement. It uses sponge construction, so internal state can't be easily modified as can be with most block ciphers when CBC is being used. Schneier also posted about it. If I would happen to be seriously bored, I could write pure Python 3 implementation, which would be nice, except really slow. It's Spritz is already slow, and this would only make it much slower.
  • Checked out high performance Python extensions. I was already familiar with NumPy. Instead of OpenMP I've been using Python 3 native multiprocessing lib for efficient manycore processing.
  • Really nice article about OSPFv3 differences compared to OSPFv2. Changes are much larger than just a support for IPv6.
  • How secure is TextSecure? [PDF] Here's a paper analyzing it. Identity misbinding attacks are just way too common. Many people say that PGP and Retroshare are horrible, because those require manual key exchange. No, that's just the feature which makes those secure! Without manually exchanging keys and making it sure, that the keys belong to the people you think those belong to, is very important part of public key security. See: unknown key share attack.
  • Mobile is eating the world! There's no point to design 'legacy software products', which won't work properly for mobile users. This is very important thing to keep in mind if you're product manager or planning to start a software startup.
  • Windows tablets are great, NOT! This is just my personal opinion, but I wouldn't recommended those for users. Sluggish operation, Windows updates take forever. Updates fail, reverting changes, installing ~150 updates more after 8.1 upgrade. Random SDBUS BSOD, reboots, WiFi / 3G connectivity issues. It seems that everything is working badly and update installation failures and blue screens are quite random and common. Eventually after tens of reboots and installing all kind of stuff you'll get everything installed. If you're lucky. Then you'll install upgrades by the device manufacturer, which take long time and require multiple reboots etc. Luckily I'm able to install these in volume as well as tasks are rarely urgent. So I can put tens of tables on table and run updates, after a few hours I'll revisit those, see what the situation is and continue. Yes, it's not consistent, some tables and laptops in the batch can be much slower to install and other faster, others fail and some won't etc. It's just basically absolutely horrible experience. I feel and know very well the feeling you described. Suddenly touch screen is totally unresponsive, or doesn't work at all. You'll need to use USB keyboard and so on.
  • Watched several EuroSciPy 2014 videos.
  • Watched docker keynotes at docercon14 [1, 2]  libcontainer, libchan, libswarm etc.
  • A nice description how hard it's to test even simple software. And that's absolutely true.

    I've seen testing which is done well, mostly very poorly. Often test cases are rushed, or there are not test / use cases all to test. As well as checking results of tests after software changes are omitted.

    Often people testing software, do run some tests which are related to changed made. But they completely miss that there might be serious side effects from the changes made which most probably aren't covered by the tests they execute. I really licked the Tetris article. That's just so true. Even when talking about many devices, like security devices and firewalls. It's often easy to find out bugs when you just very hard look for configuration options, which aren't invalid by the documentation. Those are just extremely rare and not useful in most situations. Like taking el cheap firewall and trying to configure it so that it's in partially bridged and partially routing mode. After that you'll then setup VPN as well as configure NTP and stuff like that. Things would work well in case of full routing mode, but when firmware which achieves this results by using some kludges is being used, also these features get broken in the process.

    That was only one example. Almost any complex but not very widely used programs contain bugs which you can find by looking things which most likely haven't been tested and aren't being used by large number of users / customers. Because these are commonly the areas that the official testing team aren't focusing. They're already very happy if they'll get version released where the most important things, used by majority of customers are barely passing the tests without any serious problems.
  • You really shouldn't have a TV in home, if you're having any wishes for privacy? What? Yeah, that's true.

    As we know, this is nothing new, but it's getting a lot worse. There's no privacy, if there's a TV in a room. Or any other smart screen. Of course laptops, phones and computers have posed similar risks earlier. But in this case, these devices are pre-installed with 'malware' made by the manufacturer. Is there any privacy in future?

  • Checked out several new mobile payment solutions, which provide multi channel payments. On-line / web payments, Mobile payments, as well as credit card & NFC payments on Point-of-Sale (POS).

Bottle.py path handling, Crypto, China & India Internet, IPsec, ZingChart

posted Nov 2, 2014, 2:25 AM by Sami Lehtinen   [ updated Nov 2, 2014, 2:26 AM ]

Bottle.py url handing

Bottle.py handles url's as real paths, even if paths do not refer to real paths at all. Is this a good or bad design? I don't know. I'm just curious why they're doing it like this.

I'm just curious why parts of URL are considered as (real) path with previous directory links. Is there any way do disable this? Or is it mandatory to use parameter for that?

Example:
request: /request
returns:  /request
but ...
request: /request/..
returns: /
request: /request/../testing
returns: /testing

Why? It also might look like or sound like potential flaw? But I assume this is intentional.

Of course /request?q=.. works by passing parameter q=.. to /request

Also using %2f instead of . interestingly enough works.

I tried Googling around and I didn't find proper answer for this particular question.

Smaller things:
  • STaT Yes, I'm Special Tools and Tactics guy. I'll do what ever needs to be done, to get the job done. Did I just come up with the term? Yeah, I did. ;)
  • Absolutely great post about how cryptography is being intentionally broken by designing bad software and recommeding insecure or badly designed standards as well as burying something which would be better. 
  • Facebook's software architecture, a good post which summarises Haystack & Memcache caching.
    KW: social graph, ACL, MySQL, Memcaache, read heavy, blob storage, caching, F4, Haystack, fault tolerant, replication, big data, erasure coding.
  • How did Feds find the Dread Pirate Roberts? This story (Schneier on Security) is interesting. There as been so much discussion about parallel construction earlier. Maybe the real inforamtion came from NSA, but as it's know, intelligence information can't be used directly. Because it would reveal what they're doing and their capabilities.
  • RunAbove presents interesting Power 8 based cloud hosting, allowing you to run 176 parallel threads on their latest cloud servers. I guess that's great for web hosting & databases. They also provide bandwidth with which costs only USD$0.01/GB.
  • China is MitM:in Apple's iCloud. Somehow this doesn't surprise me at all. It's also interesting that they're MitM:ing also Github and login.live.com (Microsoft, Hotmail, Outlook). Of course it can be used for sharing many kind of information.  As well as popular chinese browser Qihoo 360, is designed to allow MitM:ing by skipping site validation. 2 step login won't protect from situations where the logged in user cookie is being stolen using MitM.
  • India is snooping and blocking network traffic. Goes to same category as China and ehh, Finland. Nothing new. Some sites are blocked / censored and network traffic is monitored.
  • Reminded my self about HSPA+ Enchanced Cell-FACH.
  • Had even more fun with IPsec VPN tunnels, it's se unbearably bad technology, unreliable, painful to configure, maybe insecure, etc. After a few weeks of finetuning and pertmutating all possible configurations we found out configuration set, that seems to mostly work. We had to disable DPD because it seemd to be one of the sources of the problem. DPD detected underload that network is down and caused VPN to go down. When DPD is disabled everything is working. It's just so funny, how technology designed to detect problems is actually causing those. I'm just waiting to see cars which have automatic collision avoidance, and those cause more deaths by causing car to suddently change lane or break, drive off bridges and so on. Automation is just so nice master.
  • Checked fast HTML5 charting library ZingChart. Really nice, quick and light. No more hosting images or generating those on the fly using PHP or something similar legacy stuff.

Read: Named Data Networking: Motivation & Details

posted Nov 2, 2014, 2:14 AM by Sami Lehtinen   [ updated Nov 2, 2014, 2:14 AM ]

This is interesting concept, yet routing and routing table size can be a problem. I would personally use IPv6 and focus on different "discovery protocols". Same applies to Mobile IPv6 and other situations where IP address should roam. If address is easily findable, then it doesn't require actual address roaming, because clients current address can be easily looked up when required. Of course this doesn't provide 'seamless roaming', but I've noticed that in many cases even when seamless roaming is advertised, it isn't truly seamless.

Just compact highlights & keywords from longer document: In NDN, all data is signed by data producers and verified by the consumers, and the data name provides essential context for security.  Name-based routing also raises a scalability question. Routing and forwarding plane separation has proven necessary for Internet development. A router remembers the interface from which the request comes in, and then forwards the Interest packet by looking up the name in its Forwarding Information Base (FIB), which is populated by a name-based routing protocol.  The router stores in a Pending Interest Table (PIT) all the Interests waiting for returning Data packets. Because an NDN Data packet is meaningful independent of where it comes from or where it may be forwarded to, the router can cache it to satisfy future requests.  Data signatures are mandatory — applications cannot “opt out” of security. Besides efficient digital signatures, NDN needs flexible and usable mechanisms to manage user trust. Secure binding of names to data provides a basis for a wide range of trust models, e.g., if a piece of data is a public key, a binding is effectively a public key certificate.  NDN’s data-centric security can be extended to content access control and infrastructure security. efficient signatures, usable trust management, network security, content protection and privacy.  IP architecture: address space exhaustion, NAT traversal, mobility, and address management. There is no address exhaustion problem since the namespace is unbounded. There is no NAT traversal problem since a host does not need to expose its address in order to offer content. Mobility, which requires changing addresses in IP, no longer breaks communication since data names remain the same. Finally, address assignment and management is no longer required in local networks, which is especially empowering for embedded sensor networks.  Routers simply treat names as a sequence of opaque components and do component-wise longest prefix match of the name in a packet against the FIB. How to maintain control over the routing table sizes. Another important question is whether looking up variable-length, hierarchical names can be done at line rate. Intelligent Data Plane NDN node can monitor the packet delivery performance of different interfaces and detect packet loss if any occurs, all at the time scale of a round-trip time. Forwarding Strategy, Since each Interest retrieves one Data packet, a router can control the traffic load by controlling the number of pending Interests to achieve flow balance. The PIT state can also be used to effectively mitigate DDoS attacks. Automatic in-network caching is enabled by naming data. Content Store. NDN routers are able to reuse the data For static files, NDN achieves almost optimal data delivery. One may also be able to learn what data is requested through clever probing schemes to derive what is in the cache. However NDN removes entirely the information regarding who is requesting the data. the NDN architecture naturally offers privacy protection at a fundamentally different level than the current IP networks. reliability checking, data signing and trust decisions NDN avoids congestion collapse that can occur in today’s Internet when a packet is lost at the last hop and bandwidth is mostly consumed by repeated retransmissions from the original source host. Sync utilizes naming conventions to enable multiple parties to synchronize their datasets by exchanging data digests, so that individual parties can discover and retrieve new and missing data in a most efficient and robust manner.

LinkedIn, Passwords, PostgreSQL, Apache2, POODLE, Books, HTTP/2, EU Taxes

posted Oct 24, 2014, 11:41 PM by Sami Lehtinen   [ updated Nov 2, 2014, 2:11 AM ]

LinkedIn is used for Creepy Spying and Tracking.
Doesn't really surprise anyone. If you're using Facebook, Google or LinkedIn or similar Spy services like GitHub, well, that's what you're asking. If you respect privacy, you should only use services which do also respect it.

Yet another weak login authentication, one less password. When do they realize that using phone number or email address isn't exactly secure method of logging in.

Really nice post about PostgreSQL internals, not too technical, enjoyable basics.

Improved my server logging, now logs are much better, using Apache2 CustomLog.

Played with curl and some sites which use GeoIP to locate users. In many cases I can inject X-Forwarded-For header which contains spoofed IP address to change my location. Nice.

Linux NTFS 3g driver doesn't handle volumes correctly? Because chkdsk on Windows shows errors every time after using USB sticks on Linux. "Correcting errors in the uppercase file." So clearly everything isn't being done correctly?

Read throughly and thoughtfully this post: How POODLE Happened. It's excellent description of SSL history, similar attacks history and technical description how the attack actually works. Here's the original POODLE paper from OpenSSL.

Many people don't consider indirect passive information leakage as a problem at all. But I do, I'm very aware that everything done online is tracked all the time. Here's a good post about it, if you're not aware of it. 

Refreshed my memory what's the difference between MAC-then-encrypt, MAC-and-encrypt, encrypt-then-MAC. This paper sums it up. Authenticated Encryption. It's also recommended to read this: Order of Encryption and Authentication.

Added Bruce Schneier's book "Data and Goliath Is Finished" to my Kindle.

HTTP/2: The Long-Awaited Sequel @ IEBLog. Good information about what's new in HTTP/2.

Fixed some issues with LogRotate, because latest Ubuntu distribution upgrade caused some issues. Now everything is working just as expected and was working earlier.

Unfortunately I'm still having problems with Intel+Nvidia display adapter configuration at home. So some of my screens are dead, for now. I don't know who's idea it was, but xorg.conf is still being deleted on every system boot.

Year 2015 brings 2015 taxation changes for European web business in EU area. How you're going to deal with new regulations? This article shows how things will be, but what's the best solution? It's a really huge burden to report taxes separately to 28 different countries, which wasn't required earlier. Is there any solutions for this problem for small entrepreneurs? Discussion @ G+. One guy who runs small website selling electronic goods and services, said that this is going to be so big burden that it's better to quit than deal with it.

DNSSEC, Privacy, Credit Card Tokenization PAN, dCVV, etc

posted Oct 24, 2014, 11:34 PM by Sami Lehtinen   [ updated Oct 24, 2014, 11:35 PM ]

Studied Introduction to DNSSEC by CloudFlare
Checked out Kounta, mCASH and reminded my self about features of SEQR (Seamless). Mobile POS, Mobile Payments.

Watched PBS NOVA 2014 Why Planes Vanish? Primary Radar, Secondary Radar, SatCom, Transponder, SQUAWK, Doppler shift, Ping latency, Frequency correction, ADS-B, electric bay, AFIRS, streaming near realtime flight data recorders (blackbox). My comments ADS-B is flawed system, because it's based on information reported by the plane systems and that information can be spoofed or system disabled.
Watched Glenn Greenwald's Why privacy matters and The Virtual Interview: Edward Snowden

Read Even a Golden Key Can Be Stolen by Thieves, how Apple encryption is flawed. "regulating backdoors in cryptography will diminish users’ security". I think there' still a major flaw. What good is getting a warrant for a content of encrypted laptop or desktop, or phone? If it's encrypted and they don't have the key, the warrant is no good. This still means that Apple is still having a backdoor into the system by holding the keys. This is exactly in line with the stuff which I wrote about in earlier posts them lying about not having access to data. If the encryption is done correctly, they don't have any data or keys, which could help the law enforcement in anyway, even if they would have warrant. It's just horrible how many (almost all) systems are insecure by design.

I've been thinking several times about implementing secure P2P client, which wouldn't basically leak any data. Security level would be much better than with Tor or any current existing 'privacy' tool. Of course this would be mostly used by tinfoil hats only, so using it would make you kind of target, but the good thing is that they could tell anything about who you're chatting with, when you're chatting with etc. It would be interesting exercise. I guess I would use existing Bitmessage source and just modify it with required additions, because I've been successfully earlier extending Bitmessage features, but just to attack the network itself. Adding latency and generating corresponding fake traffic, would be basic features, hiding the normal flood casting pattern of messaging Bitmessage currently employs. Of course Freenet (Freenet Project) has been having these features for ages, as well as GNUnet.

Registered to watch: Google Cloud Platform Live

Studied Apple Pay for Developers: Network Level Tokenization Network-Side Token PAN BIN (Tokenization Data security @ Wikipedia)

Read: EMV Payment Tokenisation Specification – Technical Framework

Realted keywords:

Ecosystem Tokenization Environment Payment Token Ecosystem Service Provider Cardholder Card Issuer Merchant Acquirer Payment Network Requestor Specification Data Elements Requirements Vault Generation Issuance Provisioning Security Controls Registration Assurance Domain Restriction ID EMV Technical Framework POS Entry Modes Information Reports Raw ID&V Methods Concepts Performed Account Verification API APIs Participating Endpoints Interface Categories Input Output Level Update De-tokenization Query Lifecycle Management Processing Routing Range Tables Transaction Authorisations During Capture Clearing Exception Flows Mobile NFC Point of Sale Digital Wallet E-Commerce Card-On-File Scan Use Case Flow Overview Authorisation Chargeback Normative Abbreviations Definitions Events Mapping Standard Europay Visa Mastercard

More excellent reading for people interested about payment cards: EMV Specifications

Dynamic changing dCVV / dCVC codes for credit cards, where CVV/CVC is replaced by mini display.
Doesn't basically change anything in Finland. Because many sites are already using Verified by Visa or MasterCard SecureCode which basically uses strong identification to verify identity of the card owner before authorizing any payments. Current implementation is already much stronger than any dynamic card verification value. Even if you have the card, it's useless unless you have also access to card owners  identification codes.

Had some trouble with files saved from Windows Notepad, it seems that Windows is using character set which isn't directly detected by Mousepad Xubuntu default text editor. I guess the main problem is that Microsoft is using non-standard € sign encoding (chr 128) when saving into MS ANSI ASCII 8 bit format. - Got solved by using the Windows-1252 character set encoding. I would personally prefer using UTF-8 always.

FIDO U2F & YubiKey, 2FA, Two factor authentication

posted Oct 23, 2014, 8:41 AM by Sami Lehtinen   [ updated Oct 23, 2014, 8:42 AM ]

Main link / news: Google strengthens 2-step verification using USB Security Key

My thoughts about it:
There's nothing new with 2FA. It's nice that they use open Universal 2nd Factor (U2F) protocol. I guess this is also excellent news to Yubico manufacturer of the YubiKey products. It seems that U2F / UAF are bit newer standard, so I have to study more about it, read specification and write my own thoughts about it. - More information from FIDO Alliance.
With phones you can use mobile phone based 2FA, which is afaik just as secure as this solution is. Or maybe even bit more secure, because it's out of band, and also the site is verified where the authentication is being send. Only drawback is that the mobile phone is hackable, but I guess it would require at least rooted phone to be able to intervene with the login process.
In this case only client is validated, which is traditional security fail point. Doesn't help at all in MitM cases. Yet, Chrome browser might be doing some tricks trying to prevent this. FIDO documentation says that there's a login challenge, so most probably the response is only good for requesting site. Yet, if there's malware on the system, it's totally possible (afaik) that they'll actually request another login challenge in parallel and actually generate the login response for that service. I've always loved Yubikeys, except it requires USB bus, which isn't available on many 'modern' devices. Yet win's for using USB are, no display, strong long keys, no need to enter keys as well as no need for replaceable battery. On the other hand YubiKey NEO uses Bluetooth technology, but as the downside it requires battery.

1-10 of 199