Blog‎ > ‎

Fails, Data Security, Monitoring, Network Speed, Email Address Validation, Xitroo

posted Nov 12, 2016, 7:45 AM by Sami Lehtinen   [ updated Nov 12, 2016, 7:46 AM ]
  • Elite coders... Key control buttons hidden behind other UI components. List with one entry is empty, and other fails. To sum it out omfg.
  • Data Security Offices called me, their call made me laugh, so much. I didn't dare to laugh during the call, but afterwards. Almost rofl. They weren't sure what the documents are, they personally knew the person responsible for security of those documents in that organization. Yet they didn't them selves do any handling stuff, but as official officers they tried to delecate the job back to me. Ok, in this case I just forwarded the email my self, but really wtf. Was that next step really my job? - Ridiculous. - What should be learned from this? Reporting incidents doesn't interest anyone. And they'll try to delegate it back to you and not take it forward internally. As many researches have said, that's the norm. So options are, sell the information on back market if someone's willing to pay for it. - Great! Or just publish it anonymously for lulz. If there's a sh*t storm after that just laugh. Nobody cared before that, maybe they will now? - Reporting it isn't worth of your time, and nobody really cares.
  • Lot of discussion with several friends about benefits and drawbacks of virtualization and how it's nearly impossible to compare vendors without extensive testing, monitoring and logging. Added software on several servers which records and test server performance repeatedly and report it to central monitoring system with alerts. - Way to go. - Yet I wish things would work so well, this wouldn't be necessary.
  • Constant monitoring and logging is important. One network connection dropped from 12 Mbit/s to 8 Mbit/s, without any notice. Only way to find that out was from logging. We've even found exact time stamp when this happened. - The speed returned to normal, without anyone doing anything. The physical network path is the same etc. Really strange and annoying at the same time.
  • Following Brian Krebs DDoS story closely. Akamai kicked the blog out. Hmm, nice PR.
  • VDSL2 is incredibly crappy technology. I don't really get why someone prefers it over fiber or Ethernet. But it seems that some ISPs just can't stop loving it.
  • More fun, it seems that Microsoft guys can't even validate email addresses correctly. I created temporary address: !#$%&'*+-[]\\\/=?^_{|}~@sami-lehtinen.net yet Outlook doesn't allow me sending email to that address, they claim it's invalid. No it wasn't. It was totally valid. Lol, even Tutanota doesn't allow ~ in email address. Why not? It's incredibly how many services doesn't get something right like email addresses. Lot's of great engineers and programmers out there...
  • Other interesting observations. Thunderbird automatically adds quotes on addresses which require those. So if address is []@sami-lehtinen.net Thunderbird changes it to "[]"@sami-lehtinen.net But why <>@sami-lehtinen.net is not valid, yet <@sami-lehtinen.net is? Also []@sami-lehtinen.net is valid... Very strage, maybe a bug? Gotta review the RFC 5322 again - It seems that the <> identifiers are used for address identification.
  • I just can't stop loving administrators and programmers without any logic. One email service claims that email address can't contain #... Yet their SMTP server accepts rcpt to address with #. What's the logic? No, it didn't deliver email to the XXX#YYY's XXX part.
  • Why Thunderbird says <>@sami-lehtinen.net is invalid, but Postfix says that <<>@sami-lehtinen.net> is valid. Go figure. Postfix also accepts <>@sami-lehtinen.net without brackets when following "rcpt to:". I don't even know what's right, but it seems everyones got different implementation of the same standard.
  • Tested a new service Xitroo.com beta. It's always so fun to find ways to screw projects. Managed to take over their start & welcome pages quite easily, defacing completed. Trivial. So much fun. No it wasn't anything serious, but worked like a charm. Found also other interesting usability issues, no default domain. Some inactive buttons were annoyingly visibly and asking to be clicked, even if those wouldn't work. How about not showing the button in such cases? Back button was broken, required two clicks to get back. And several other small remarks. Well, it's always easy to judge others work. But those are all minor things and can be trivially fixed for better future.
  • Had a way too long discussion about JS CDN's like cdnjs, googleapis, asp.net, MaxCDN, keycdn. Phew.