Blog‎ > ‎

DNS-SD, Learn, SSBJ, Security, RA/DHCPv6, 5GHz, IPAM, gRPC, IV, RC4NOMORE, Data Retention

posted Jul 28, 2015, 7:20 AM by Sami Lehtinen   [ updated Jul 28, 2015, 7:21 AM ]
  • DNS based Service Discovery - DNS-SD, RFC 6763
  • Finnish recommendation for Internet Service Providers ISP to deliver IPv6 connectivity to end users [PDF, Finnish].
  • How to actually learn data science. That's what I do. I usually like to setup a project which requires a certain skill set. The skills I don't have, I have to study and learn and then execute the stuff. Creating a actually working implementation will give you a much better insight into problems than just reading about those.
  • Hunted for hot spots in VMware ESXi environment. Some tasks which should take only seconds, can now seemingly take 10 minutes. Ehh, that's not really an optimal situation. Need to investigate more. After some hunting found a memory leak in one application, which reserved huge number of small memory segments and then caused those to be swapped out. Actually that creation didn't cause the problem. Problem was only caused when that huge swap was getting released suddenly on several parallel servers causing absolutely unacceptable amount of disk I/O and 'freezing' the host in process.
  • Youtube documentary Zero days - security leaks for sale. Hacker / hacking / Internet / security documentary.
  • Checked out: Textron AirLand Scorpion and Supersonic Business Jets (SSBJ), and many similar concept designs, but it's really hard to know from limited information resources which of those projects are pure fiction and if some are actually making some progress.
  • It seems also to be really complex to tell if system is using DHCPv6 or RA / SLAAC. Microsoft Windows gives very confusing and misleading information about that. Sometimes addresses are labeled as Public or DHCP but who says that you can't get public address via DHCP? As well as DHCP based entries do not show lifetime but SLAAC based entries do and so on. I'm sure if there are problems, it's going to be horrible to provide customer support because everything is so messed up and it's hard to get reliable information. In somecases it seems that only way to get reliable information what's actually happening is to dump the network traffic and analyze it. Tools, logs and user interfaces are so badly designed and confusing that you can't really trust those. Yep, this isn't first time nor the last. IPsec is similar. There's no way to trust the user interfaces or logs, everything can be more or less wrong. Well after playing with this stuff for a long time, you'll find out which are the places you can trust and which provide conflicting or wrong information. But it's always so annoying when things are inconsistent. It's just like bad or misleading documentation, which makes troubleshooting real nightmare, because you can't trust any information. You'll simply have to go through all possibilities and try to find some reliable source of information (like packet dumps) when you can't trust any other information.
  • Also had separate problems at one hosting company. Well you'll get what you pay for. More money = More dedicated resources. Yet it seems that things turned good. After I made the complaint and clearly said, I'll move all my systems out if this happens again. It hasn't been happening again. Luck or did they actually change something? Sounds pretty unlikely that they would really care. Or maybe I'm underestimating their interest to customer satisfaction, which also sounds unlikely.
  • Noticed that some teams aren't using automated monitoring for their production systems. That's really bad. If you don't monitor service quality & availability it's highly likely there will be exteded down time.
  • Once again ended up in a discussion where I had to remind my self about OTP, OFB, LRW, XTS, XEX. For simplicity of implementation team decided to use standard CTR with AES128. I really like asking some things from cryptology professor, helped to deepen my understanding about a few things. Which I already know how those should be done, but I really didn't understand why. Now I know it too.
  • OWASP Cryptographic Storage Cheat Sheet
  • Hackers remote kill a jeep on the highway. This is the future, everything is connected to the Internet, remote controllable and of course hackable. kw: uconnect, CAN bus, remote, exploit
  • Reminded my self about why and when Initialization Vector (IV) is needed.
  • Studied Python types library, "Dynamic type creation and names for built-in types". - It allows you to generate new classes dynamically. Yep, full classes, not only instances as usual.
  • gRPC Google's Remote Procedure Call system utilizing bidirectional HTTP/2 single connection multiplexed RPC. Really a nice way to utilize HTTP/2.
  • Checked Charles Leifer's post about Python UnQLite bindings. Looks really interesting. I have to check out if I could use unqlite instead of SQLite for some of my projects. Answer is most probably yes. Yet I'm familiar with SQLite3 and if there's no reason to switch, there's no reason to switch. Peewee already offers dictionary like interface for SQLite3 which I'm using with some key, value tables.
  • OpenBazaar project started weekly progress updates in their Blog.
  • Checked out a few IPAM products, yet I believe I don't have any need for those in future either. Managing just a few networks, is trivial, and even more trivial when IPv6 comes along, because you can easily allocate own /64 for every subnet required. Currently my ISPs are offering /48 for businesses and /56 for home users. It's interesitng that the Wikipedia article says that IPAM is more in demand for IPv6, I personally think that it's less required. Also firewalling comes much easier when you can refer directly to required subnet level. Or if you want just to croasely restrict traffic you can easily whitelist whole ISP, instead of going to through tens of even hundreds of different IP subnets they're using. This can be naturally combined with DDNS when required.
  • Quickly tried HaCi and Netmagis - Which just confirmed what I thought earlier. Using one smallish spreadsheet for required data is ok way to manage all I need to manage.
  • Checked out WLAN (Wifi) 5 GHz channels in Europe. I'll need to setup one network and wanted to be informed about channel usage. Ok, I wanted to see also the international differences, I'm curious so I did read it too.
  • Had long discussion with a friend about 'academic research' versus 'efficient execution'. How huge difference there is how things can be done.
  • At one salary comparison site I really wondered about about lack of units and definitions. They just got question like, what's your salary with dropbox containing several ranges from 500 to 200k+. But salary, in which currency? For which period? Weekly, daily, hourly, monthly, yearly? I really tried to look for the definition on the site and I couldn't find one. Also in heavily taxed countries there are big differences if you'll get paid vacations or not and if the salary is before or after taxes. Does it include potential bonuses, extras or overwork or not and so on.
  • HTML5 can be used to hide malware. Surprise? No.
  • Still had strange problems with IPv6 and one Linux server. It's probably related to IPv6 and UFW configuration. Yet I'm not exactly aware what's causing the problem. I changed some settings and if the problem reoccurs then I'll have to do larger changes. I just prefer not to change too many things at once, because then there's no way to tell which particular setting fixed the issue.
  • RC4NOMORE - Yep, RC4 shouldn't be used. As they say, attacks only get better. Here's improved and further developed clever attack against RC4.
  • Actually the DHCPv6 vs SLAAC poll is interesting, because even if address is assigned using SLAAC the DNS and other information can be delivered with RA O flag using DHCPv6-Lite protocol, which does not require M flag. So the host IP address is autoconfigured using SLAAC but the DNS information is still fetched over DHCPv6. This makes the question if you're using SLAAC or DHCPv6 quite confusing. There should be three options, A,M,O which flags are being used or if the address is being configured manually.
  • Studied Veeam backup & replication for VMware or Hyper-v, yet I concluded that I don't have use case for it right now.
  • Carefully studied and commented OpenBazaar's upcoming contract schema. I'll be blogging more about my findings. The schema version which I commented is still under construction and so far 'lightly discussed', so there are many things to fix. But I'll be posting about my OpenBazaar related observations later, and it will be a long post.
  • Studied unqlite-python documentation. - https://unqlite-python.readthedocs.org/en/latest/api.html#Collection - Nice, I like it. It's fits very well with Pythonic design. Iterable, lists and dictionaries.
  • Data retention, privacy, law and leaks / data theft: What's the problem? Everyone is talking about big data and stuff. Isn't one key factor of that, that any data ever obtained whatever means, won't be deleted, ever. You don't ever know when you might need it. Yet if it leaks, too bad. It wasn't 'our' data necessarily in the first place, we just happened to have it.
    This can be a problem, because some corporations have data retention policies which explicitly forbids deletion of any data, even if it would be required by law. Who's going to audit that anyway.
    Just as example:  If Gmail, Facebook or Dropbox leaks all customer data, including your private messages, chats, email attachments, anything you ever synced (photos, excel sheets) to the service in past 10 years. They can just say s*t happens. Not our problem. This came as complete surprise and we'll be making some improvements in future. Sorry.
    If that happens in future. Don't feel bad. You should have been expecting this to happen when you send your stuff to 'cloud'. So there's nothing to whine about.
    Why so? Because data isn't properly classified when it's generated / received, it leads to situation where there's so much 'random' data that nobody wants to go through it and decide what should be removed. Therefore it's just much simpler to keep everything forever. As well as many developers are lazy, inserting data into relation database is really easy, but nobody bothers to build the data structures so that data could be removed from the database in some sane way without breaking relations and this leads to situation where nothing gets ever deleted.
  • Finally something light, it's a cloud story time! What's the silliest thing you've encountered with cloud stuff? Here's my story.
    Once upon a time, at one customer, they had advance awesome private cloud.  It was really top notch. When we needed resources from that cloud it turned out to the project managers that getting resources from private cloud would require so much bureaucracy, paperwork and meetings, that we'll do it otherwise. We just ordered a few physical servers and installed those to the corner of the office. This was cheap, fast and efficient.
    Isn't flexible cloud stuff awesome or what? Nowadays it would be just as simple to get the servers from UpCloud or similar service provider, but the company's own cloud was a joke. Shadow IT working hard!
    Got any juicy stories to tell? I got tons of those! Share on G+ with me.