posted Jan 1, 2014, 10:23 AM by Sami Lehtinen
updated Jan 3, 2014, 9:08 PM
Fresh stuff this time.
- Happy New Year 2014!
- This is incredible how badly some software companies handle their communication. They do have mailing list for "announcements", but they don't have any method of contacting customers when critical update is required. After having a long chat about this topic, they agreed that it would be really great idea to provide mailing list and RSS feed. But they didn't have thought it earlier. - This is horrible. And with critical update I mean update, which stops whole application from functioning if it's not applied before certain other Windows updates are installed.
- ARIN is running out of IPv4 space. IPv4 countdown @ ARIN. Not a surprise because this has happened to RIPE and APNIC earlier. I also studied NAT64 and RFC6586. I personally believe that NAT64 isn't going to be required because CGN is being used soon. In Finland mobile telephone operators are already using it. For normal mobile Internet connection you can't even get dynamic public IP. You're always behind CGN. But when smaller service providers can't get IPv4 addresses anymore, then they simply have to start offering IPv6. When services are IPv6 only, it naturally leads to instant demand for consumers to be able to connect IPv6 services. Also IPv4 address space selling will be lucrative business. But it would have been much better simply to implement IPv6 faster. It's also major problem that many devices sold today do not properly support IPv6, which sets all of us in quite bad situation. Or maybe we're simply expect that all consumer electronics will be renewed in a few years, which is actually quite often happening. 5 year old device, is really old.
- Intel XDK registration was ... ahh ... Near perfect user experience as usual.
First I tried password like: d8SDHh3h-gf0Nhasjdh3
It's invalid password, because it doesn't contain 'special characters'.
Then I changed it to: d8SDHh3h-gf0Nhasjdh#
Now it's invalid password because it contains: -
Then I changed it to: d8SDHh3h0gf0Nhasjdh#
Now it's invalid password because it's longer than 15 chars. Rage! Is it really so hard, to hash, what ever the darn input is? Is it? Really? Can programmers hash any bits? Really? AwwWWwww! ... If they would hire me, I might be able to tell Intel engineers that it's actually possible to hash any binary data, including full UTF-8 character set. Because it seems that they really don't know it.
Finally password like: h3h0gf0Nhasjdh#
And it was finally accepted. Ou-yeah. This really shouldn't be that hard! Just as funny as it is, I had similar talk with my colleague about one week ago. He complained experiencing exactly same kind issues with several other sites. I assume we all have experienced this, that's just why I said as usual in the first paragraph.
- This is great topic. As seen in Air Crash & Mayday series, it's
clear that humans do not handle 'exceptions' well either. Often
accidents are caused by humans handling exceptions very badly. So if
you've been sleeping in car, drinking, and you're quite tired and
confused and car suddenly decides to sound alarm and gives control back
to you. It won't end well.
Other scenarios where this is
interesting, are very bad weather conditions. Well, if and when software
is "ready" which it ever won't be. I'm quite sure automatic cars will
handle very bad weather conditions better than humans. Because as we
know, people won't handle very bad or exceptional weather well either.
Drivers get surprised by ice every year. It does sound silly and doesn't
make sense, but it's true, there are always loads of accidents when
slippery weather hits. Of course I'm now referring to situation where AI is already so good,
that user (not calling driver on purpose) won't assume that there's need
to control the car.
So are you ready to control car, when computer suddenly quits?
- Played with Microsoft Thin PC version. Yay, VT100 terminals are back? Also reminded me about IBM NetStation 300 devices I installed back in 1996, with IBM AIX. Actually NetStation device wasn't terminal only, it could also run local Java programs. As well as stuff like fonts were loaded over TFTP.
- Had many long discussions & chats with friends again about NSA leaks, security, firewalls, attack vectors, firmware & software updates, lack of signatures, and backdoors. NSA having full access to iPhones. SSD Secure Erase might be broken when you got drive from factory, but it can be made broken on purpose. So it stored data saved to certain path to the Over Provision Area of drive or Host Protected Area. So even if drive is emptied and filled with random data, still the data for "important path(s)" will remain unharmed in over provision area etc. GSM / Mobile networks Evil Twin attacks. Hacking SD cards. Great infosec topics.
- To Protect And Infect, Part 2 - A very nice talk about NSA @ YouTube. In the talk they refer to a "Thing". Yes, it's really nothing new. Basically whole RFID technology works like that, modulating irradiated energy. So I wasn't surprised by that. If someone was, I guess they have missed their history lessons. It's well know fact that knowing history, tells you a lot of things that are happening now and in future. Even if you don't know exactly what is happening, you'll have a good clue what kind of things those might be. Attacks won't get worse, they'll only get better.
- Watched a lot of 30th Chaos Communication Congress videos. All official CCC videos. Including World War II Hackers (More paper & pen ciphers). Where (long) key is very important, with short non random key, you're ruined quickly, but with proper key paper cipher can work every well, basically OTP encryption. The Year in Crypto, Keynote by Glenn Greenwald, The Tor Network, Mobile network attack evolution, Technomonopolies.
- Tested WebRTC video chat called Vline, it seemd to work well with Firefox and Chrome, a cross operating systems.
- Reminded me self about WLAN (Wifi) Security. But nope, there wasn't anything new there.