Blog‎ > ‎

Facebook & Tor, Spritz, Python, TextSecure, Mobile users, Software testing, IoT

posted Nov 2, 2014, 8:24 AM by Sami Lehtinen   [ updated Nov 2, 2014, 8:24 AM ]
  • Using Facebook anonymously via Tor, is quite sure failure. Site is designed to spy on you. So everything they do, is total absolute opposite of what's required for private, secure and anonymous communication. Their plan sounds more like a honey pot for clueless people. So you might get illusion of privacy, but it's almost guaranteed that you won't really get it.
  • This is just what we have been expecting. This shouldn't shock anyone. This is simply the shape of things to come. Your television is spying on you and that's not a joke.
  • Spritz is a great stream cipher which can be used as RC4 replacement. It uses sponge construction, so internal state can't be easily modified as can be with most block ciphers when CBC is being used. Schneier also posted about it. If I would happen to be seriously bored, I could write pure Python 3 implementation, which would be nice, except really slow. It's Spritz is already slow, and this would only make it much slower.
  • Checked out high performance Python extensions. I was already familiar with NumPy. Instead of OpenMP I've been using Python 3 native multiprocessing lib for efficient manycore processing.
  • Really nice article about OSPFv3 differences compared to OSPFv2. Changes are much larger than just a support for IPv6.
  • How secure is TextSecure? [PDF] Here's a paper analyzing it. Identity misbinding attacks are just way too common. Many people say that PGP and Retroshare are horrible, because those require manual key exchange. No, that's just the feature which makes those secure! Without manually exchanging keys and making it sure, that the keys belong to the people you think those belong to, is very important part of public key security. See: unknown key share attack.
  • Mobile is eating the world! There's no point to design 'legacy software products', which won't work properly for mobile users. This is very important thing to keep in mind if you're product manager or planning to start a software startup.
  • Windows tablets are great, NOT! This is just my personal opinion, but I wouldn't recommended those for users. Sluggish operation, Windows updates take forever. Updates fail, reverting changes, installing ~150 updates more after 8.1 upgrade. Random SDBUS BSOD, reboots, WiFi / 3G connectivity issues. It seems that everything is working badly and update installation failures and blue screens are quite random and common. Eventually after tens of reboots and installing all kind of stuff you'll get everything installed. If you're lucky. Then you'll install upgrades by the device manufacturer, which take long time and require multiple reboots etc. Luckily I'm able to install these in volume as well as tasks are rarely urgent. So I can put tens of tables on table and run updates, after a few hours I'll revisit those, see what the situation is and continue. Yes, it's not consistent, some tables and laptops in the batch can be much slower to install and other faster, others fail and some won't etc. It's just basically absolutely horrible experience. I feel and know very well the feeling you described. Suddenly touch screen is totally unresponsive, or doesn't work at all. You'll need to use USB keyboard and so on.
  • Watched several EuroSciPy 2014 videos.
  • Watched docker keynotes at docercon14 [1, 2]  libcontainer, libchan, libswarm etc.
  • A nice description how hard it's to test even simple software. And that's absolutely true.

    I've seen testing which is done well, mostly very poorly. Often test cases are rushed, or there are not test / use cases all to test. As well as checking results of tests after software changes are omitted.

    Often people testing software, do run some tests which are related to changed made. But they completely miss that there might be serious side effects from the changes made which most probably aren't covered by the tests they execute. I really licked the Tetris article. That's just so true. Even when talking about many devices, like security devices and firewalls. It's often easy to find out bugs when you just very hard look for configuration options, which aren't invalid by the documentation. Those are just extremely rare and not useful in most situations. Like taking el cheap firewall and trying to configure it so that it's in partially bridged and partially routing mode. After that you'll then setup VPN as well as configure NTP and stuff like that. Things would work well in case of full routing mode, but when firmware which achieves this results by using some kludges is being used, also these features get broken in the process.

    That was only one example. Almost any complex but not very widely used programs contain bugs which you can find by looking things which most likely haven't been tested and aren't being used by large number of users / customers. Because these are commonly the areas that the official testing team aren't focusing. They're already very happy if they'll get version released where the most important things, used by majority of customers are barely passing the tests without any serious problems.
  • You really shouldn't have a TV in home, if you're having any wishes for privacy? What? Yeah, that's true.

    As we know, this is nothing new, but it's getting a lot worse. There's no privacy, if there's a TV in a room. Or any other smart screen. Of course laptops, phones and computers have posed similar risks earlier. But in this case, these devices are pre-installed with 'malware' made by the manufacturer. Is there any privacy in future?

  • Checked out several new mobile payment solutions, which provide multi channel payments. On-line / web payments, Mobile payments, as well as credit card & NFC payments on Point-of-Sale (POS).