Blog‎ > ‎

Cloud security, JavaScript Crytpo, Megafail, Hard Disk Drives, Spinrite, Disconnect.me, exFAT, Graph Search

posted Jan 27, 2013, 1:19 AM by Sami Lehtinen   [ updated Jun 21, 2014, 3:42 AM ]
  • This is extremely pro-cloud writing, but often true: The deslusions that companies have about the cloud.
    It's much worse to have some own random server somewhere, which got 100% uptime... Wel, until it doesn't. There was this one guy working in the company three years ago who knew something about that server. Now HD of the server is broken, it could easily take a week to get it online again, and restoring full functionality can take week or month. It's also well possible that it doesn't happen at all, because lack of backups. There might not be automated backups at all, backups might have been malfunctioning for a extended period. Or even funnier situation where backup is fresh, but nobody knows the encryption key. Or the backup tape has been unreadable for years. Backup was in same room with server, and is now burned. Backup was USB stick attached to the stolen machine. Some guys also said, that cloud companies care about privacy and security, because it's essential. Many other companies doesn't care about it all. Even if alarms are raised, if nothing really bad happens, all issues are simply ignored.
    - Yes, I have personally seen all of these issues when working with customers.
  • People say that browser JavaScript crypto is inherently unsecure and doomed.  Well, this is one of the issues I have been raising from time to time, about automated updated for programs. If they can modify web-pages in realtime, what makes you think they couldn't deliver fradulent desktop software using automated updates? - Well, they can. So if you don't trust javascript crypto software downloaded from website, why you should trust native encryption program, downloaded from a website? Unfortunately still many program updates are delivered using plain http and without any signatures etc.
  • Megafail? Mega.co.nz security analysis, which tells something about my previous bullet point. Would native locally installed client be any better with automated updates? No?
  • Checked out some information about h.265 / HEVC, I'm really happy that I don't need to write decoder or encoder for that. If something is really mind bendingly complex, that will be it.
  • Read interesting news article about Shingled Magnetic Recording. There are interesting times for HDD industry, when SSDs are mainstream, traditional disks need to really offer superior capacity. Currently manufacturers seem to be moving to Heat Assisted Magnetic Recording (HAMR). Patterned media is also one interesting future technology. Also see: full 9 page SMR PDF document. Perpendicular recording is already old stuff. Here's also one article about HAMR.
  • After listening endless stories by Steve Gibson about his Spinrite level 1 and 2 runs for SSDs. I decided that these are very basic functions, it doesn't really require any specialized software. So I did run badblocks -sv for all drives to confirm that all data is readable, and disk controller is aware of the current "disk state", because status of un-used disk areas can be unknown to controller.
    For my Windows workstations I used chkdsk /F /R which also reads all files and non-allocated space from partition. I with badblocks could have unmounted the drives and used -n parameter (to do non destructive write tests too), but as far as I know, that's not required because I assume that everything is ok. Read-only test is actually more than enough. I think badblocks is better than chkdsk, because it reads all blocks from selected block device, and doesn't care about partitions. Remeber to run it for whole block device, not only to a specified partition.
  • Disconnect.me excellent site about social network spying. They offer excellent browser plugin to prevent continuous snooping. Facebook is absolutely the worst spyware of the year. Don't forget to check out their blog too. Well there are also other spies watching over your shoulder like Twitter, LinkedIn, Google Plus, etc. Social network buttons are the cancer of the internet, destroying privacy. Also user identity can be stolen using Widget Jacking method due insecure social network widgets which aren't using SSL.
  • Reminded my self about S.M.A.R.T. and AHCI as well as disk drive native wipe (overwrite / destroy) features. But how you can be sure that everything has been erased? Well, without good lab, you simply can't. Is it worth of it? No, just physically destroy the drives containing confidential data when you're done.
  • DARPA got interesting plans, they're planning to create payloads that fall upwards. Yes, from the bottom of the sea to the surface. See the project. "Distributed systems to hibernate in deep-sea capsules for years, wake up when commanded, and deploy to surface providing operational support and situational awareness"
  • Something fun for a while, a nice 404 page. Although I personally think that the animation isn't nearly as advanced as it was in the original version over ten years ago. So yes, it's a partial fail.
  • Checked out exFAT features. Well, doesn't impress me much. It's just extension to old fat. Without journal it's really dangeorus file system to use for anything meaningful. Even NTFS USB sticks get corrupted, but luckily it's only the data that get's corrupted, because journaling saves the file system. Without journal, well, things can be much worse. I don't find over head of using NTFS or Ext4 for USB flash too bad, compared to the damage what non-journaling file system coud cause with multiple random disconnections.
  • Blog post about actual facebook graph searches. Well, why is this news? They have made all that information public anyway. Shouldn't be any news at all.
  • Updated to latest GAE developer SDK: release: "1.7.4", timestamp: 1352314290, api_versions: ['1']