Blog‎ > ‎

HFDE & SED, BitLocker, C-Lion1, DDG, ORM, Internet, RFoG, Docker

posted Jun 25, 2016, 9:37 PM by Sami Lehtinen   [ updated Jun 25, 2016, 9:38 PM ]
  • Reminded my self about Hardware FDE and ViaSat Eclypt drives. Opal Security Subsystem Class and Trusted Computing Group (TCG). Also read: Bypassing Self - Encrypting Drives (SED) in Enterprise Environments [pdf] - Those methods were kind of obvious and silly. Sure if the drive is unlocked when attacker gains physical access, that's bad.
  • After discussing a few details with friends, we concluded that correctly made backdoor doesn't actually reduce security by any meaningful way for normal lawful use. Yet it allows media access for authorities if legally required to do so. So is it so bad, or is it something most of people would actually agree to?
  • Once again it's time to remind when people say it's using AES256 and it means that it's absolutely secure. Yes, bit did you also figure out that you'll need 32 bytes (256 bits) of entropy, meaning that the password needs to be about 43 characters long random string with special characters. As well as there are many other fails than the cipher alone.
  • Read about Elephant Diffuser being which was removed from Windows 2012 / 10 BitLocker.
  • Found out that one version of GNU social got totally broken private messaging. Yes, it was running on live production servers. Funny. But that's life. So if you sent a private message, it was still completely public.
  • Added a few monitoring points and scripts with alerts to inform me as soon as the Telia, TeliaSonera, Sonera, starts to route using C-Lion1 from hls to ffm. Data is also logged. Of course I've got lot more data points, but this is one which has been configured to create immediate personal alerts, so I can check other data points with other operators. Expectation is to see latencies to be reduced by about 10 - 15 ms. Actually I think that switch will happen before this blog post is actually out. But that's life. Backlog is quite long.
  • Some of DuckDuckGo stuff is now loaded directly from yahoo.net and not from duckduckgo.com. Hmm, interesting development. I wonder when they add Google Analytics and claim that they don't track you. The pro tip is that they're not doing it, it's Google that's doing it. Classic ways to mislead people. We're not, but ha ha, we're during actually exactly what you feared, but we just avoided answering that question because you asked in a wrong way.
  • Got question about Peewee ORM Transactions with SQLite3. Why does it matter if try and except are inside with transaction or outside it? Or maybe I've just missed documentation about that being strict. Had serious problems with ever growing WAL file because selects were left at times open after exception occurred. I'm using auto commit and with transaction. So I would assume it would mean that the select and query statement would be closed and finalized always automatically. So what if there's uncaught exception. But that doesn't seem to be the case. so even if you're doing with transaction select a ton of stuff and then processing data using cursor if there's an exception that boots the execution out from that with transaction scope block the cursor doesn't get closed. Ouch. Once again a good example where expecting something to happen, doesn't actually matter at all, because your expectations are just wrong. Been there, failed that. Fixed.
  • How the Internet works: Submarine fiber - Awesome article. Loved it, yet. I'm pretty sure it didn't provide any new information, but it's great generic overview for people whom might not be familiar with all this stuff.
  • Learned something new I didn't know earlier RFoG.
  • Should data be put in docker containers or outside? When I did those docker tests I did place data inside container, but afaik that's not a great plan. On the other hand, one of the goals of the project was to minimize time required to configure such a system and that's the reason why I didn't go for it. Probably could have done that pretty quickly, but it's still one more extra step to take. Simple, default, is good. Anything which adds complexity is bad, especially in this kind of scenario where aim isn't to do things right, but do things quickly so that stuff just works. Which naturally can back fire later and isn't great plan for production environments, but for experimental test projects, it's the way I like to do things.