Blog‎ > ‎

GraphQL, Microservices, MS, Cloud Services, Encryption Sabotage, Proper Passwords

posted Oct 23, 2016, 6:15 AM by Sami Lehtinen   [ updated Oct 23, 2016, 6:16 AM ]
  • Checked out GraphQL - Nice and simple Query Language designed for JSON. Also checked out Graphene for Python. This is something I could actually use.
  • EU decided that Free (as anonymous) WiFi is illegal. And users should be registered. What's the point? Because you can get anonymous mobile phone with Internet data, without registration. - Simply doesn't make any sense. Just when I were happy about shopping centers and many other places finally offering Free WiFi which you can auto join without hopping through all the endless loops.
  • Microservices please don't - A pretty nice article about Microservices. This pretty much agrees what one of my friends said. He re-engineered one project to run in dozens of docker containers, each one taking care of small part of the whole. It added lot of overhead, made system slower and harder to manage and administer. - Yet I've seen cases where microservices have been a perfect fit. They've got processing pipeline and graphical administration module which is just awesome. It's just like drawing a flow chart and setting options for microservices all using the single management GUI. Yet having this power naturally doesn't technically require that the system would be implemented using microservices. - SOA and message passing also fits somewhere here
  • Microsoft crappy policies and badly build products made me once again bat shit crazy. I don't hate anything more than data loss. You'll never know what you lost. Probably it wasn't anything important, but it potentially could have been something very important. Thank you Microsoft once again for providing such crap as Gotta migrate out as soon as possible. It has been guaranteed Microsoft (tm) quality so far. Super slow, totally lagged, with high latencies on everything, totally random delivery errors, bad authentication, spam filtration / classification failing miserably, data loss and so on. Just what ICT professionals would expect from Microsoft cloud services. Yes, I have to admit, I was highly skeptical about using Microsoft products and unfortunately they've proven me right. It was really stupid move. Everything is just as bad as you could have dreamed when thinking how to make your users life misery and troll them to the max. I'm still wondering what I were thinking when I chose Microsoft.
  • The statement above also made me thought that it's interesting to see how different Cloud Service Providers focus on different aspects. Others focus on retaining everything forever and making deleting hard and others make data retention basically impossible. Yet when I described how fked their system is, I'm pretty sure they're still keeping all the mails, they're just showing those to the end user to maximize the damages on different potential aspects. To the client they'll tell the data is long gone. But then someone paying well and basically unauthorized to access the data will still get all the records from several years. - That's the way to manage ICT systems. Give users illusion of privacy and still keeping it all. My little internal BOFH is laughing really hard (evil villain laugh), this is exactly what to do if you want to be real BOFH. Poor users don't even know what hit them.
  • Setting the level is hard. In Encryption Sabotage where you weaken the encryption usually using bad random numbers or weak algorithms on purpose, so you can break it with "reasonable resources" when necessary, but it still seems to be valid, good and good enough for most which do not have advanced cracking capabilities. They also had similar problem with Nathans, how to make enough many centrifuges to fail but not make so many fail, they immediately know it's sabotage. Problem needs to be annoying and cause damage, but still not big enough to really make it a priority to solve the problem what ever means necessary.
  • Someone told me that passwords have low entropy? Well, they're just doing it wrong. Here's my quick take to proper passwords: base64.a85encode(os.urandom(16)) - Example result: ';TjPs-b;<+@nd`^%.T[)' or 'L1)85<dr8-qHe)Yr46`*' good luck guessing! Even if you would have really fast password cracker running even empty loop like for i in range(pow(2,256)) will take a while. ;) There's still 340282366920938463463374607431768211456 combinations to check. Or if that's not enough, you can go for 256 bits which leaves us with 115792089237316195423570985008687907853269984665640564039457584007913129639936 combinations and passwords like: '\\S>&=Cs`nXTWfM6MO>f!+-`%h]_ag7kE+HRc:M=@'. Just treat passwords as mentioned earlier, shared blobs of bits. Simple as that, and it's highly unlikely anyone's going to crack those in any reasonable time. All and any passwords are always crackable, if unlimited time / resources are allowed. And we if we assume attacker being lucky, there's no reason why they wouldn't guess the password on the first try. You know, there are people who win on lottery too. If it's so confidential, how about not storing it in a first place, encrypted or not. If it's not there, then it's all good.