Blog‎ > ‎

Docker, Ori, ThorCon, HFS+, OpenBazaar, Ratchet, Monitoring, IPv6 uWSGI, Remmina RDP

posted Jan 11, 2015, 9:56 AM by Sami Lehtinen   [ updated Jan 11, 2015, 10:32 AM ]

Some fresh stuff for change.

  • Microsoft now offers Docker images in Azure Marketplace & other Azure related stuff- Here
  • Ori File System - A secure distributed file system - No personal thoughts about this, these projects seem to come and go non-stop. I did read basic documentation and as far as I can see, it doesn't provide anything special, yet it's available for multiple operating systems.
  • Something different: ThorCon Nuclear power plant design. It's based on Molten Salt Rector Experiment (MSRE). The most interesting aspect is that the project is walkaway safe, even if people would disappear from the planet right now, power plant would still make automatic controlled shutdown. Really interesting stuff, modular safe design. I had to read everything they offered in their site. Also read Coal and Petroleum articles just to remind my self about this stuff.
  • Checked out HFS+ article, just for generic file system comparison information. I haven't ever used HFS or HFS+. Support for things like extents and data inlining, doesn't look bad at all.
  • Reviewed extensive Security Model documentation for one project, including Thread models, assumed adversaries: users, corporations, governments, developers). Reasons for attacks financial gain, making money, disturbing functionality of the product making in unreliable and insecure, breaking trust, weakening network & connectivity, unmasking users and breaking anonymity, block certain objects from network, sybil-attacks, man in the middle attack, developers pushing code which will damage software integrity and functionality, DDoS, denial-of-service attacks. Password policies, mobile, desktop and laptop security settings and policies. Public key encyption key management, storage, security, protection. Data access policies, never use devices which aren't fully under your control to access any trusted systems. Don't use any unknown hardware, like USB sticks or other bus connecting devices. Password protect BIOS. Prefer using Full Disk Encryption (FDE). Sign & encrypt all important messages. Only use programs from trusted sources. Always verify binary & program integrity. Never install or use arbitrary programs or scripts. Prefer package manager over web downloads. Don't fall a victim of social engineering attacks. Always verify contacts & identity. Using 4096 bit RSA keys is recommended. Users are required to follow security guidelines. Compliance checking is done monthly. Revoking access, granting access, checklists. All requests must be signed and separately verified to be authentic. Writing secure code, avoiding XSS, SQL injections and transferring confidential data without encryption. When things require privacy, be very careful about encryption ,data expiry policies and logs, as well as with cloud services.
  • OpenBazaar will be at FOSDEM'15.
  • OTR Advanced Ratchet / SCIMP Ratchet Future Secrecy, Axoltl Ratchet - Ways to use temporary short term public keys, so each message (or small number of messages) only utilize same key. This is just a way to automate what I said about GnuPG and it's ephemeral keys. Of course you can change keys and generate new ones, as often as you want to. In this case, keys are renewed basically on every round trip.
  • Wrote a program which checks multiple systems for default credentials. But then the reality check? What's the point of monitoring systems for default credentials? To be sure that there aren't any? Well, not so. Because there are plenty. Whole point is that using default credentials won't break anything, so nobody's interested to do anything about it. Business as usual, tons of gaping security holes, everything is well and working, so why worry?
  • Finally got my test project to fully work with IPv6. Original problem was that uWSGI only listened for tcp4 connections. But after asking it, one guru told me that I'll need to use --http [::]:80 parameter to enable listening and services for both IPv6 + IPv4. That's nice. But there's no documentation what so ever about this question. This is once again something you'll need to know and assume based on extensive knowledge base.
  • Found oud that Remmina connectivity problems are due to setting RDP connection encryption to high. NLA and TLS do work well, but if encryption is set to high, then thinks break up. I don't yet know why this is happening, but I'll try to find out. Acutally I don't know even if that encryption setting is especially meaningful when TLS is used to secure the connection instead of using legacy RDP encryption. Kw: remote desktop protocol, linux, os x, mac, ubuntu, remmina, windows server 2008 r2, windows server 2012, remote desktop problems, unable to connect, won't work.

I'll be dumping more stuff from backlog later.