Blog‎ > ‎

Summer stuff: many books, studying: privacy & security & webapp development related stuff

posted Aug 12, 2012, 11:37 AM by Sami Lehtinen   [ updated Mar 28, 2014, 11:33 PM ]
Phew, here's some more stuff I have done. I'm sure I forgot many things... I should blog weekly in future, to avoid these huge blobs. Items in this post aren't in any particular order, it's plain backlog dump.
  • Checked out Cappucino. I think it's suitable for people writing HTML5 apps, with iOS / Objective-C background. I found it to be quite complex even for simple apps. I would prefer something like pyjs due my Python background.
  • Finished reading: JS in ten minutes. Some parts were bit too deep JS stuff for me. I would prefer to think these problems on higher level. But generally I liked the concept.
  • Studied: RFC 5054 - Using the Secure Remote Password (SRP) Protocol for TLS Authentication.
  • Listened: OWASP netcast 84, DDoS Mitigation.
  • Thoroughly studied: Yahoo's Privacy Policy. - "Yahoo! takes your privacy seriously." - Right... How about using HTTPS instead of HTTP with webmail? Does anyone hear me?
  • Studied: Ebook WLAN Security (CSD) - Maintaining a secure wireless network and associated devices. Performing security audits to monitoring and tracking wireless and handheld devices and wireless technology for new threats and vulnerabilities.
  • New book added to Kindle: The Principles of Product Development Flow: Second Generation Lean Product Development
  • Finished reading: Single page apps in depth and The Twelve-Factor App. 12factor was all clear to me, excellent stuff. But about SPAPiD I can just say: "DOM, UI re-rendering, JavaScript events stuff is bit outside my primary scope. So yeah, I do understand what I read, and get the general concept. But it really doesn't click for me on detail level. This is so complex area, that I would prefer to use existing professional with it."
  • Studied: Everything you ever wanted to know about building a secure password reset feature - Glad that they also mentioned why pure email reset is super bad idea: "Whoever has access to your email now has access to any account that can be reset purely by receiving an email." - I personally do have perfect solution for password recovery questions, but I'm not going to tell it due security reasons.
  • Studied: Studied elliptic curve cryptography ECC, difference between gnupg and gnupg2, DSA / RSA keys. It seems that DSA keys aren't recommended to be used anymore. Well, gnupg2 version 2.1.0 should have support for ECC encryption. It should be much better than RSA. Shorter keys and faster and more secure public key (PK) encryption.
  • Studied: Autonomous Underwater Vehicles (AUV). And ofc ourse naturally tons of Curiosity rover stuff, space probe signal encoding, error correction etc, deep-space telecommunication. Encountered old stuff that I already knew, like Radioisotope Thermoelectric Generator (RTG), Inertial Measurement Unit (IMU), Reed-Solomon error correction, Bayer Filter etc. 
  • Security stuff: I encountered quite a few zero day windows trojans with client computers. Situation is clearly bad, because anti-malware and anti-virus apps didn't help at all. Confirmed that those PDF files did contain dropper code, and submitted it to VirusTotal, Jotti's malware scan, Microsoft and F-Secure. I do have long story about this, but unfortunately it's not right time to write more about it. All I can say ZeroAccess rootkit. Some computers also received Live Security Platinum rogue security malware "antivirus program". Some JavaScripts inserted by malware proxy had references to domain waitingforbankanswer.net. Yes, I didn't forget linking it, it's missing on purpose, be careful.
  • Studied: Studied "OAuth 3.0" and Hashcash, Parallel Computing - Which reminded me about my Java studied back in 1996... Volalite variables, Synchronized methods and of course Lock objects. Newer stuff is quite interesting and I don't know if there are any good working implementations out. Transactional memory, (TM) Software Transactional Memory (STM) and Automatic Mutual Exclusion (AME) for Python using PyPy.
  • µTorrent is going to soon serve ads? - Sigh! Use Deluge instead.
  • Studied & played with: Cross-site Scripting, XSS exploited one site using persistent attack with harmless picture, just to see and confirm that it works as it should. Also studied Cross-site request forgery (CSRF/XSRF) using JavaScript. Yet again found vulnerability site. Exploit script was served from my own server and it was able to do actions on target site where I was logged in with my own credentials.
  • Studied super long article about RFID and differences between using LF and HF tags. 
  • Wrote one short business plan, but I can't tell more about it yet...
  • Studied study: Reliably Erasing Data From Flash-Based Solid State Drives
  • Studied TCP Fast Open: expediting web services - Nice, speeds up repeated (or parallel) tcp connections, but requires modifications to existing apps. So only a few apps will get the benefit. Just like with Ext4 persistent pre-allocation. It's just great, if it's being used. I have also noticed that many apps that really could and should use pre-allocation with NTFS, simply just do not use it, which leads to fragmentation which could be simply avoided by using pre-allocation. - key word: fallocate()
  • Studied: Content-centric networking, lulz, it's kind like of re-inventing magnet links. But this is exactly why I like anonymous content storages with encrypting cache, like Freenet over Tor which hops data around without caching. If content is static, it's crazy not to cache it and starve network resources by retransmitting it again and again.
  • Read lot of stuff about Mat Honan case, yeah. It happens and it sucks.
  • Read article about Memory Access Patterns are important -  Martin Thompson. Yup, seems to be pretty important stuff for performance, I have written about caching a lot, and this is excellent addition.
  • Refreshed my memory about reading some basic documentation about Kademlia & DHT.  This stuff is interesting, if I just would have time and case which needed it, I would like to write a working implementation.

Yeah, this is how I spend my summer. Luckily I have also had some time to bicycle. But when I'm walking, I'm always reading stuff from my Kindle.