Blog‎ > ‎

HTTP/2, OpenPGP, Authentication, Identity, Bitium, SSO, 2FA, CRM, CDN, BI, China

posted Jun 6, 2015, 10:01 PM by Sami Lehtinen   [ updated Jun 6, 2015, 10:01 PM ]
  • Checked out Python 3.5.0b1 - More features, newer versions. I'm still using 3.4 in production. But as soon as new version comes out I'll be upgrading most of systems.
  • Data Analytics & Statistics using Python - Nice tutorial to the topic.
  • How to optimize your site for HTTP/2. - It also well reminds why you should use CDN. Fast Internet means low latency, not high bandwidth. It's amazing how many people just don't get the difference, even people who're professionally involved with this stuff. Yet I'm glad to say, the document didn't contain anything new at all. It's all basic stuff that everyone should be already aware about. I personally think that the stream weight (relative multiplexed priority) is quite useless. Absolutele dependency tree is much better way to deal with stuff. Priority would also work if it would be absolutely priority instead of weight. It seems that the earlier reading about HTTP/1.1 my own thoughts and thoughts about HTTP/2 are all ok, actually I know a lot about it. And I haven't been just reading about it. I've been also thinking deeply about it.
  • What are the use cases for #h2 / #http2 stream weights? I personally see stream dependencies as much more useful. Or I would have preferred absolute priorities over weighting priorities.
  • A good post how HTTP/2 is much faster than SPDY - The key for it is the dependency-based prioritization.
  • 0MQ ZeroMQ tutorial - Nothing to add, just read it.
  • Watched Google I/O 2015 Keynote
  • LclBd now shows most popular tags by user. I'll do minor changes and improvements whenever I'm feeling like it.
  • Thunderbird - More broken and bad software. - Thunderbird email application crashes when moving large number of messages from folder to another. I know ALL of my friends using Thunderbird are suffering from this SAME bug. It's really annoying, but it's more like feature than bug. It happens on Windows as well as on Linux platforms and so on. Restarting application fixes the issue. Usually CPU is also hogged during the task, which seems like a clear bug too.
  • Again wondered by Remmina (Remote Desktop Client) is unable to connect servers which are configured to use NLA / TLS / High connection settings. It's quite annoying.
  • Google is launching push notifications for web apps. - This is important, because I really love web apps over native apps. This is something I have to check out. Because push notifications are one of the primary reasons to use mobile app over web app.
  • Read long article about business management and big data analysis and data analytics in general. How managers should deal with it? Lol, buzzword, data analytics and hype mentioned.
  • Checked out to configure a captive portal for wireless dead drop.
  • Facebook is using OpenPGP to secure emails - That's really great. Yet I suspect that less than, well it's quite hard to get low enough estimate, is going to use that feature.
  • Some people claim that anonymous messages sent with OpenPGP signature are useless. No not really. The point of the signature is to allow me to prove that I wrote those messages to some party at some point, if required so. Yet keeping the identity or most likely identities and private key stored safely allows you to remain anonymous and hidden for the rest of the people. If I want to I can post message signed with my official key + the anonymous key to prove my identity. Or sign the nonce send by party I want to identify my self to with the anonymous key. So they know I'm the one, but they still don't know who I am. Providing really strong pseudonymity over any channel.
  • Reminded my self about QUIC is ~HTTP/2 over UDP. - Yes, that ~ is there on purpose, because that's inaccurate description. µTP Micro Transport Protocol and LEDBAT and SCTP. And a way RFC6951 to encapsulate SCTP packets in UDP for End-Host to End-host communication.
  • SSDs: A gift and a curse - Nice article about using SSD with servers and what kind of problems you might encounter.
  • Had annoying problems with xfce4-indicator-plugin version 2.3.2 it seems clearly to be buggy. What did I say about software earlier. Also the requirement to restart the panel to changes to take action is so... Some decades old stuff. Yuk.
  • Checked out Solar sail including types Magnetic sail and Electric sail.
  • Checked out FOAF (Friend of a Friend)http://www.foaf-project.org/ protocol which is extension of F2F (Friend to Friend)
  • GAE Python Google Scalability course - Great stuff. How to build cloud services which seamlessly scale to even greatest demands you can imagine.
  • Added support for PhishTank API to one project.
  • Checked out Transatomic - Molten Salt reactor design, nuclear reactor blueprints and thorium reactors.
  • Studied models like drop shipping and store dropping. Both are concepts that have been used with our customers for a long time. At least one advanced large European customer has been using both models for almost an decade. I've designed the in store ICT / Post and stock system to support their concept and processes, including product life curve, seasons, dynamic pricing as well as automatic stock replenishments which is of course quite trivial when you have all required data at hand. Post of Finland is now marketing these concepts in Finland. But they seem to have forgotten, that most stores have moved away from Finland several years ago. Cost efficiency and scale benefits are really important in this business. It also seems that as market Sweden adopted concept of drop shipping much earlier than Finnish businesses.
  • FBI says that encryption should be prevented - Nice, I think we have suffered enough about some export keys and other stuff. Yet if encyption is banned, then only criminals will be using it. There's no way to practically get rid of encryption. It might be combined with steganography or chaffing and winnowing. Which isn't encryption, it'll just help you to know which parts are required and which aren't. It's just high tech stencil / mask which can be applied on data, to figure out what the real message is.
  • Fixed some annoying jQuery Mobile related issues with LclBd project. There are still a few known annoying things, but I'll fix those as soon as I'm feeling like it. There aren't any users anyway, so why worry with that? I know how it works, even if UX can be bad if user won't do exactly as supposed.
  • Let's Encrypt - New free SSL certificates for everyone. Here's the new CA root certificate being used.
  • Checked out Bitium - SSO 2FA authentication service provider - Cloud-based identity and access management solutions.
  • Dumping some authentication and identification related thoughts and comments, not edited for blog: I'm personally wondering why there's need for "so many authentication systems". Why doesn't just ONE authentication system do the job? I personally would love to see that kind of solution for cases where high to medium security is required. Of course it won't work for cases where really high security is required and governments can't be trusted. But for all other cases it would be ideal. AFAIK, it's silly that we need all kind of identities when actually we should need just one identity and all our roles and access tokens and stuff could be simply linked to it. That being said, the official ID card (which you can use to identify your self basically anywhere) could as well work as universal key, access token and identity as well as 2FA provider. SAML. This would neatly separate identity management from authorization. Some people seem to confuse those, but actually those are two technically completely separate things. f course identification is important part of authorization, but those can be federated together. Well, problem is that there are tons of solutions, but non of those is widely recognized and that doesn't seem to change anytime soon. I some how drifted back to this topic after checking https://www.bitium.com out. It's also a problem that I often prefer not to be officially identifiable in many circumstances which of course invalidated 'well known and good strong identity system'.
    I'm well aware about #sqrl and I've throughly studied it as well as sent feedback about it to Steven.
    Just to add, I don't personally believe that current #sqrl implementations are nearly secure enough. There's no #HSM module for the SQRL private key AFAIK. Please correct me if I'm wrong. Of course some company could provide #yubikey kind of solution which would be SQRL compatible. But any application with 'regular' data storage is always insecure. That's why all those "authentication" apps won't just fly. Believe me, I've checked many of those.
     I'm currently user of "mobiilivarmenne" which is so far one of the best mobile authentication schemes so far. http://www.mobiilivarmenne.fi/en/ I also think it's secure enough, for most of clients. Except for the cases where extreme high level security is required. But that's a concern for only a very small group of people. Of course the identification trusts third part, and that's just why it won't work for really high security requirement case.
    Mobiilivarmenne is using #HSM and requires PIN code to activate it. As well as if you're not logging in on mobile, you'll get private key authentication using #2FA . Desktop login, using #mobile #authentication . Also the website clearly tells what information is being passed to whom. So that's secure pretty much too. Of course it could be changed with advanced malware. That's why I would love to see the information what's being signed / authorized on mobile screen also. Using low level method which would require firmware modifications on mobile device. So even if desktop AND mobile device both would be infected with "normal" malware (not rooted) it wouldn't be able to affect the key parts of the process.
    When things are as advanced as I think those should be. Try entering countries like US without passport only using SQRL or mobile authentication. If they accept that as your identity, then things are working out. There's already passports with chips, so actually it would be natural step not to require the paper document part of it anymore.
    Here's the description and flow of the current mobile authentication I'm using. http://www.sami-lehtinen.net/blog/secure-pki-based-mobile-user-id-authentication
  • Read extensive review of CRM systems including Microsoft Dynamics CRM, Oracle Sales Cloud, Salesforce Sales Cloud, PipeDrive, Nimble and SuiteCRM.
  • Also read one long CDN article, but in reality it didn't contain anything which I wouldn't already know in extensive detail. It didn't go into details of many networks. But it seems that most of CDN networks have focus on western markets, and South America, Africa, India have very small number of POPs if Any. I guess TATA or Akamai are the primary CDN options for India. http://cdn.tatacommunications.com/about/advantages.html# CDN77 got presence everywhere except Africa. It's also easy to notice that many CDNs don't have Russian POPs. And Russia alone is just absolutely huge country as measure in area. China Net Center seems to be the "Akamai of China". (Yes, I do hate it when someone says Yandex is Google of Russia, lol.  But I just did it! Yet I'm sure that most of people don't know what Akamai is.) They have 400+ pops in China. It's also really funny how CDN Planet shows France as being "Europe", I mean whole Europe. Don't know what's wrong with China Net Center, but it's own pages were really ridiculously slow to Helsinki. Here's their network map. I sent them feedback about the problem. TCP connection and traceroute seem to go somewhere in Central Europe with okish latency. So problem is somewhere else. I'm curious to hear what they say. If I would be running such CDN I would keep permanent connections open due to speed restrictions caused by the Great Firewall.
  • Read article about enterprise data storage solutions by CGOC and what all the storage space is being used. I've seen it over and over again, ROT (Redundant, Obsolete or Trivial). Yet that's what most data is. Records management is important part of that process.
  • Now largest cities are listed as "pre-customized" LclBd local locations. Users can view on LclBd what ever is being discussed right now in following mega cities: Bangkok, Beijing, Buenos Aires, Cairo, Delhi, Dhaka, Guangzhou, Istanbul, Jakarta, Karachi, Kinshasa, Kolkata, Lagos, Lahore, London, Los Angeles, Manila, Mexico City, Moscow, Mumbai, New York City, Osaka, Paris, Rhine-Ruhr, Rio de Janeiro, Sao Paulo, Seoul, Shanghai, Shenzhen, Teheran, Tokyo. Cities are in alphabetical order. I've been also considering to list smaller places just because unique location of cities like: Johannesburg, Sydney, Santiago, San Francisco, Winnipeg, Anchorage, Novosibirsk, Reykjavik, Ponta Delgada, Georgetown, St. Helena, Honolulu. Maybe I'll just limit search result depth for those locations. All other locations list top 1000 posts, but those could as well just list top 100.
  • Electronic Prescriptions are now widely used in Finland. Those are really handy, no need to shuffle papers around and all information is always up to date. It's just like the banking and online trade when it moved to Internet. But simultaneously it's making society more vulnerable to different cyber attacks, because many important things now rely on Internet.
  • It seems that the great firewall is making TCP connections and DNS lookups really slow. Many sites are much slower from China than Hong Kong. Also it's a trap to speed test your website from Hong Kong and think it would be the speed that Chinese users would be getting.