Blog‎ > ‎

Badly done, OpSec, e-Receipts, Salary Database, Customer Experience, Payments

posted Jan 22, 2016, 10:39 PM by Sami Lehtinen   [ updated Jan 23, 2016, 10:04 AM ]
  • Some things are just so badly done. Like calling and verifying information as pretending it's not related to anything. It's true, there's no thing such as random coincidence. In security business it seems that most of random things aren't that random at all. Those are actually very carefully targeted. Some times it's so obvious it's almost funny. Like calling to verify who's owning something and who's using it. Usually when they call, they're always trying to sell some unnecessary stuff to get additional invoicing. If they're not doing it, they're checking something else for someone else. They won't otherwise contact you and just 'check things'. Anyway, unless you'll try and see  what happens, you'll never know. Like I've earlier said, it's hard to figure some things out, unless you'll just go and try it. Then you'll see how blatantly obvious those poor attempts to check things are. It's almost as bad as phishing attempts. They should try harder and be better at social engineering, current checkups are almost blatantly bad. Just a pro-tip. Also the requirements to keep investigation under wraps works quite badly, at least in some cases. It's bit like stealing (and returning items) from store, just to see how bad their security is. As well as they don't realize that systems can work as proxy especially when developing and testing experimental P2P systems. But yeah, it's quite common that some people just don't get how tech stuff works, and that's no news either.
  • Refined opsec processes and best practices for one project.
  • Visited final e-receipt meeting, the file format based on Finvoice is there. They there's one major issue still. It's how to match the receipt to the buyer. This problem has been clear from the very beginning. And as I said, I haven't seen anyone to solve this problem. Yeah, everyone got their own, marginally used solution, but that's just one more marginally used solution which adds to the mess. Yet the good thing is that this file format can be used whenever there's is (any) way to identify the customer. Of course this also pops up many privacy related questions. Is EFF Finland going to provide big brother award? If every purchase transaction in Finland should be verified with national identity card and the purchase information sent automatically to the authorities. Great, and not so great, depending from view point. Of course at least tax authorities would LOVE that. You could very easily compare spending and income. If you're spending a lot more that you're earning, then there's something really wrong. Even if you pay by cash or Bitcoin, because they'll get all the transaction data directly from vendors and businesses. Or at least that's the theory, which isn't technically far fetched at all. Just like the NSA stuff. It can be done, so why not to do it? I always view things technology first, if it can be done, it can be done. It maybe illegal, but then next step is just to do proper risk / benefit analysis. Isn't that what every business is doing?
  • In Finland national salary database is being built. All information about income and salaries will be gathered into it. This is great, now combine this with the spending database which I described and things are going to be great. And bad for anyone working in gray or black economy.
  • Anyway this would bring also one great benefit, national business & statistics information would be up to date too. Now it often takes years(!) before any statistics are released. With this kind of solution, country would know every day how things are going. So we could have national economical dashboard. Wouldn't that be great?
  • At this point I would like to remind, that my views are my personal views as stated, and do not represent any organizations. Also my thought flow is just thought flow, it doesn't mean that I would truly support these values. It's just thoughts, could something be done or now and why?
  • Read long articles about Product Hunt. I'm not linking to any of those articles or the site itself. There are so many views about this stuff. But truth is that businesses need to make money, via some means. If it's sponsored or paid content, great. Users might even find that less annoying that direct advertisement, because it's more concealed. I've noticed that some news articles are actually ads. In some cases there's no even proper attempt to hide it. Often the ads are concealed as 'statements by professionals or some (paid) research'. I guess that's no news either. But at least in Finland this media landscape has been changing quite drastically during last years.
  • Read book about improving customer experience with ICT systems. Ha, this is something we all got plenty of experience of. Yet usually the things to remember are the cases where even trivial actions fail spectacularly. Like the case where I tried to open Uber account, and nope, it just won't work out. How lame!
  • Read extensive study about mobile & RFID payments. Nothing new so far, security issues, usability issues, relay attacks, etc. I've earlier said that one way to prevent relay attacks is very strict latency requirements. Yet this could have drawbacks if performance of chips is different. Also pinging with message which isn't cryptographically protected is useless because it's trivial to spoof. Of course there are different kind of solutions. Others relay the payment information directly between the payment terminal and phone, and others relay it over Internet. Both solutions got different pros and cons. As well as different authentication schemes, how the payment is actually authorized and the recipient confirmed and so on. Current payment cards would be just so much secure if those would have display, and at least Ok / Cancel buttons. So you could see what kind of transactions you're signing with the card. But I've written extensive stuff about this. Payments are no different from any other authentication scheme,even if payment industry people seem to often think so. Nope, it's absolutely same stuff, to authenticate user, check passport or make secure payment. No difference whatsoever.
  • Enjoyed a short confusing moment between char, wchar and varchar. But that was quickly resolved. It's all obvious now. Why it was confusing? Well, I'm used to use higher level tools like Python or Java which always assume that basically everything is is wchar / varchar by default. Using fixed utf-16 strings (wchar) seems just so archaic. Yes, I know in some cases it CAN give you performance boost, especially if you're doing pointer arithmetic. But ouch, that's also quite risky and error prone.
  • Studied with a friend one discarded old safe and it's single knob rotatory combination lock just for fun. It's very simple stuff.