Blog‎ > ‎

ASP, WCHAR, Integration, Encryption, Security, Read Only, Skype Bots, Ceph

posted Jul 3, 2016, 1:06 AM by Sami Lehtinen   [ updated Jul 3, 2016, 1:08 AM ]
  • Maintained some horrible old Classic ASP code. Joyful task, as always.
  • More fun legendary cases and classic fails. Is string length same as it's length in bytes. - No, it isn't. You fail. What's the difference between reporting string length or using null terminated strings and all the other classic. It's so funny why these problems persist for decades. It's fundamental and systemic flaw. WCHAR, UTF-16, UTF-8 and other traditional fun.
  • Made some serious system re-organization and migrations to few new platforms. Neat, lot of work, but everything went really surprisingly smoothly. I was expecting much bigger mess. Glad it goes this way sometimes.
  • No wonder one project is very sensitive about encryption they're using. Why? Because I think their encryption is extremely bad. It hasn't even seen encryption. It's more like blatantly bad encoding instead of encryption or very slight obfuscation. Even worse, you can actually find the source code by Googling around and it's not even being keyed. So they've probably ripped it from somewhere. - Stuff like this makes you laugh and cry at the same time. State of art encryption, which is so cool, it's super secret. But it's not actually super secret nor counts as encryption at all. But as usual, most of people don't figure it out anyway, so it's easy to claim it's something super awesome! I wonder how much 'state of art and super secret' stuff is exactly this. It's so bad, it has to be secret, otherwise. Something like auto keying cipher with key and additional +1 on every key reuse iteration to key would be actually pretty strong compared to these horrors. Don't you guys know the the complex cipher called base64 or uuencode, those are really hard to crack they say, because those even do fractioning etc stuff like that. - Same rules apply to projects claiming to be certified for top secret because they use AES-256. Sure cipher passes test vectors, but what's the security level of the rest of code. Better not to ask, because you probably don't want to know the truth.
  • So much laugh! Read only field is updated to database when it's submitted. The only protection made to preserve value for read only field is preventing changes on HTML form. Extremely traditional and bad fail. You can view only these values and only change this one field, but if you submit new value(s) for any of the 'view only field(s)' those are saved to database among the fields you were allowed to change. OMFG. Software is, well, it is what is is. This is just life and normal.
  • Also one common way is to say data is encrypted. Yes, it's encrypted, using always the same static hard coded 'thisdataisnowencrypted" key and ECB mode. Great. Secure, sure, guaranteed, it's encrypted using AES-256!
  • On the other hand, what's the likely hood that anyone still bother to crack that encryption. In most of cases nobody cares enough to even try. Even if cracking it would be very easy if even amateurs would try.
  • Skype Bots - Microsoft Bot Framework - Checked out Skype integration interfaces for Skype IM Bots.
  • One service provider is so proud about their Ceph solution. But if they want to hear honest comments. It sucks, performance is highly unpredictable and often fluctuating between poor and totally unavailable. Marketing is doing their normal thing. Selling cool replication technology but forgetting that it's performance is often awful.