Blog‎ > ‎

FIDO UAF, IoT DoS, Tech Debt, SCTP, RTP, OVH, MS SQL, App Performance, SSH U2F 2FA

posted Jul 9, 2017, 4:45 AM by Sami Lehtinen   [ updated Jul 9, 2017, 4:46 AM ]
  • Checked out: FIDO UAF 1.1 and U2F 1.1 specifications, again.
  • In another case, customer complained about... All the usual stuff, programs and everything not working, etc. Finally when I got there and analyzed whole network, it became painfully evident, that it was their multimedia TV which got Ethernet connection and flooded the network with such amount of crap that everything else stopped completely working. This is just another thing, how much fun we can expect from IoT devices when all of those devices can launch network crippling DoS at will without any sane reason. Based on software, hardware bugs and otherwise just the usual low quality crap hardware & software. We're going to have so much fun in future. In this case it was wired. Wired is actually easier much easier to analyze and contain than wireless DoS flood devices. If being nasty, it would be just so much fun, DoS:ing different critical radio devices at random locations and times, but at times when you know those are actually needed for something important. But not doing it for so long you'll actually get caught. Boom, have fun. Don't ever trust anything wireless. (EW, EME, EM) One of the problems of analyzing WiFi networks is that most of devices do not provide any kind of even nearly useful  and suitable debug information. There are proper WiFi and Spectrum Analyzer devices, but those aren't usually available when you need those.
  • Excellent article about the human cost of tech debt - All true, sometimes bad code is good enough. Some times you'll spent years making perfect code, which never gets any actual use. Fixing tech debt code or developing more is horrible, stuff is all the time collapsing on you, and it's hard to even figure what's causing the issue. All this leads to deadline issues, as requiring high work estimates. But customers rarely want anything done properly, if it's cheaper done shoddily and 'just works well enough'. Team infighting, sure. Don't touch it even if it's barely working, guaranteed. Winforms, no comments. - A truly great post!
  • Read a few good articles about WebRTC and SCTP & RTP. Avoiding all the joys of UDP and NAT traversal using different kind of hole punching methods etc. Same Origin Policy (SOP).
  • OVH expanding to Frankfurt - From Finland it's hard to decide if Frankfurt or Amsterdam is better location for servers. But with the newish fiber, Frankfurt might be better. For Finnish customers. It's sad that the best providers do not yet operate in Finland. Warsaw is also raising star on the data center Map as major easter European location. OVH got Warsaw data center too.
  • Sputnik News is using Telegram Channel to push content to mobile users, instead of yet another annoying mobile app to be installed. Neat.
  • Enjoyed deep discussions about MS SQL Simple Recovery Model vs Full Recovery Model. Well, it depends. Both options got own use cases. Lots of discussion about different use cases, space management, backing up, performance, etc. Lot of discussion about Transaction Log, it's Physical Architecture and Virtual Log File (VLF) Segments, sizes, locations, file groups. How all this affects the file system and storage. File Groups Log Truncation and reasons why it grows and so on. Circular log buffer which reuses the log segments without backup. Had to link this blog post for guys.
  • Wrote a leaflet about application performance. Caching, Locking, Transactions, Internal processing performance, Data batching and Generic parallelism & concurrency. How to resolve common performance bottlenecks.
  • SSH U2F 2FA with Teleport - which earlier already supported TOTP.  Wrong TOTP isn't using common shared secret. Secret is naturally realm specific. Not true, U2F doesn't protect user from advanced MITM attacks. U2F security isn't any better than SMS based authentication, like Mobile ID. U2F doesn't provide built in protection against MITM either.  Mobile ID SMS authentication provides actually better security as far as I can see, than U2F. Hmm, YubiKey doesn't trust them or the connection. That's something which I have to check. That's somehow related to U2F protocol. That URI & TLS Channel ID binding isn't really strong, afaik. This only prevents TLS level MITM. But it still doesn't block device level MITM. Which is the problem with most schemes. As long as the data isn't signed / validated, you're just signing "random blob" without knowing what it really is. Application-specific keys is of course obvious. U2F protocol details.