Blog‎ > ‎

Access Control, It Works, Random or Trend, Business Analytics (BI), Consistenty vs Availability

posted Dec 25, 2016, 1:50 AM by Sami Lehtinen   [ updated Dec 25, 2016, 1:51 AM ]
  • Access Tokens and reality. It's so funny when people claim that electronic access tokens or phone authentication makes things more secure. Truth is that people often think that they'll find it later when they lose it. Based on this fact, it's common that lost access token or even phone might take several days to be reported. If access to key systems is access controlled by those measures it leaves just plenty of time to abuse those systems. So yet another massive security fail. It's also usual that in these kind of situations they might gladly borrow co-workers access token or credentials to access systems, because their own credentials / token / phone is just 'temporarily lost'. - Yet another reason why so many security system claims are totally false. As widely reported, it might well be that lost tokens remain active for several years or new ones will be issued without invalidating the old ones at some point much later. - Yet in case of physical keys are being used, it's even more likely they won't report it. Because it would know much more trouble than just losing electronic tag which is "seemingly easy" to disable. Even if it might take long time still, as reported earlier. - Just interesting security culture observations. I think it's more like norm instead of exception. I think it's rare exception if these things are handled properly and promptly. Usually people avoid telling such news. The story goes on. It's rumored that the PIN code required with that access token was written on the access token itself. Ah god, I love humans. They're smart, I mean ruining all of the security that the system has been developed and planned with.
  • I've mentioned sometimes et Jugaad is one fine invention. Chinese seem to use Chabuduo and I'm not exactly sure if there's a single word in Finnish which would mean the same thing. Good suggestions anyone? I'm not meaning something would be done very badly. It's done in a way, that's hackings and will work well enough to do what's required, but is far from pretty or great solution. On the same time you can ask, what's the true value of doing something better than required. Isn't it waste of resources? See: Chà bu duō  (差不多), System D, Jugaad
  • Google starts to provide VPS services in Finland, that's only a small part of the Google Cloud Platform (GCP).
  • Read some stuff about enterprise and data center SSD usage and endurance estimation. Related keywords: SSD wear out, Random Fail, Write Operations per Second (WOPS), Drive Fill Ratio, Drive Writes per Day (DWPD).
  • Read: Differentiable neural computers and Neural Turing Machine
  • Had once again a long discussion about alerts and warning to users. Alerts and warnings are very important, but those must not cause alarm fatigue. It's important that there's basic sanity checks and only if those fail the warning is being shown.
  • Another question was that, if critical near miss of huge accident will lead to learning and avoidance of the problem in future. Or if it's actually just indication of a trend. It's very hard to say. I'm inclining it's indication of trend. Having really bad mishap can lead to short term reversal, but based on practical experience I believe in trends. User who often does something catastrophically wrong, disregards security aspects, forgets password or anything similar, will do it again in future. Even if you would scold them very hard about what happened. They're not doing it on purpose or intentionally, it's just what they do and they'll do it again.
  • Even more discussion about IoT security disasters and the only thing guaranteed, it's going to get much worse before, it might get better in future.
  • Read too many articles about BI and Business Analytics Systems and also refreshed my memory about Data Loss, Disaster Recovery And System Crashing matters, by reading articles for several hours. Yet as said, nothing new in either sectors.
  • A great post by Julia Evans - Consistency vs Availability - Basic stuff, but yes, that's how it is. Even if in reality things are really shades of gray. CAP theorem is related.