Blog‎ > ‎

Badlock, ATDD, ESB, LetsEncrypt, Passwords, Crypto, MOV, Investment Robots, Duplicati 2.0, Paramiko

posted Jun 10, 2016, 9:41 PM by Sami Lehtinen   [ updated Jun 10, 2016, 9:42 PM ]
  • Checked out Badlock Windows (SMB / Samba / Server Message Block - SAMR, LSAD, CIFS) authenticatino vunerability / expoit. Ref A, B
  • Some testing related reading read: Systematic Software Testing Acceptance Test Driven Development (ATDD), end-2-end testing. ISO/IEC/IEEE 29119 and 29120.
  • ScaleWay finally offers Native IPv6 connectivity. Btw. OVH SSD series doesn't for some strange reason provide IPv6 right now.
  • Checked out a few Open Source Enterprise Service Bus (ESB) options.
  • Read a few articles about building e-commerce startups.
  • Let's Encrypt got new sponsors. Cisco and Akamai. Whoa, that's great.
  • Passwords: I personally do prefer Shared Key approach. It doesn't matter what it is, as long as it's enough bits and entropy. It's the norm that most of pass phrases and passwords are way too weak. But for 256 bit encryption, sharing 256 bits of entropy is enough. Of course ECC is even better. But for many applications and purposes shared key with challenge & response works just fine. - That blob can be then presented in a form required: words, hex, base64, digits (base 10), bits, binary or Unicode with suitable characters. Mapping blob of bits to some other representation format isn't that complex task, really. - For end users add something like TOTP is a nice add on.
  • Read: NIST Special Publication 800-175B Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms and Menezes–Qu–Vanstone (MQV). Spotted also typo, it says "ANS X9.31" when it should say "ANSI X9.31". Yes, I did read it all. I also liked the row numbering in the document.
  • It's interesting to see how Investment Robots will affect the markets. It's no secret that bigger players have been using these for a long time. But now those are being used as mutual fund managers etc. Also many stock brokers naturally provide easy to use APIs for anyone wanting to build their own investment bot and pay hefty trading fees. It's also easy to collect big data and alternative data on investments, businesses, news, press releases, etc. Robot Advisors are just one way to encourage trades to trade, that's where the money comes from. Buy and sell, all the time. There's already one robot investor company in Finland which publicly offers it's services.
  • Checked out news about Duplicati 2.0 major update coming (to be announced). Old duplicati works really well, but it's bit problematic when individual daily backup data sets starts to go into 100+ GB range. Only thing I really don't like about Duplicati 2.0 is that it relies on .NET bloat.
  • So much joy! Duplicity, Paramiko SFTP, SSH key login -> Fail. Ok ok, let's configure all ssh / config files and stuff in detail. Still fail. Ok, ssh and sftp works perfectly. Let's read the docs again. Ok, we can use lftp with for sftp according documentation. Let's try lftp + sftp ... Got it working? Well, no, nope. Uh, great, FAIL! It's so nice when there are 10 ways to get it done, and all of those fail differently. Reverted back to password usage because this was just too much fail for me for one day. I might still try -i option, but it wasn't documented anywhere. -oIdentityFile failed too. Yabba dabba doo. After plenty of extra tuning I got pexpect + sftp combination to work flawlessly with sftp server and modern 16.04 Ubuntu and being called by Duplicity automatically.