Blog‎ > ‎

IoT, Security, Katakri, OpSec, Slope One, Indexing, DNS, Bugs, Quality, Stack & Heap

posted May 4, 2016, 8:55 PM by Sami Lehtinen   [ updated May 4, 2016, 8:56 PM ]
  • Internet of Things, Internet of Spies, Internet of Targets? What's that going to be. Here's one interesting story. This is why people fear Internet of Things.
  • More Internet of Things reality. That's funny stuff too. I really don't have anything to add. The article says it all.
  • Wrote a short memo about Security landscape changes for classified information. Most important changes are related to the risk assessment. Security measures are targeted based on perceived and assessed risks. Risks are of course based on the target, data classification level, used environment and related threats. Making risk assessment is now always required for handling classified data. If official certification is being applied, important part of that certification is assessing the risk assessment and confirm that those do not conflict. Security management, physical security and software & configuration security. Closely related to ISO 27001 requirements. New requirements are also more ambiguous making audit possibly harder. Because there's no clear list of requirements, these are the required things. This is good and bad thing. Because it allows different measures to be used to reach the required security level. At the same time, this makes the risk assessment itself too critical position ensuring required (subjective) security level. There's also documentation of recommended processes used to manage security. - "Information security auditing tool for authorities – Katakri 2015" (CIIP)
  • Implemented Slope One Collaborative Filtering and ranking / recommendations for one project.
  • Nice article about Travel OpSec.
  • Indexing basics article "PosgreSQL Indexes First Principles", as you might have guessed it's about SQL (PostgreSQL / Posgres) Indexing. Nothing new, but if you're not familiar with indexing it's a good read.
  • If CloudFlare would have presence in Helsinki, it would be able to serve Russian customers / users better, those are currently being served from Stockholm.
  • Great and very comprehensive post about DNS, highly recommended reading. Including history etc. There was legacy stuff which I wasn't aware about.
  • Sometimes I just wonder, how many complex and annoying bugs you can fit in small algorithm and code implementation. But then answers seems to be lot more than you would assume. Phew. Even if you're not writing anything like ciphers or data validation / authentication (MAC/MIC) or protecting against cache correlation attacks or timing issues. So be happy if the application barely works and does what's required by operation requirements. You're just being crazy if you're going to ask about security, uncommon exception handling, performance or code quality. Those are nice things, if you got infinite time and the application is small. But if the app is complex and resources limited, it's a really nice fantasy. It's a common misconception that if it's working, it would be done correctly. That's not true of course. Because if you think it's working, it just probably means that you're not looking closely enough the multitude of ways it's seriously broken. Sometimes it's more like, by not looking, you can believe it's ok and then you can honestly tell it's working. - Actually I just proved this myself. But that story is in the post queue and will be out about 15 posts later.
  • Nice post by Julia Evans with title What is "the stack"? - Of course this is all familiar to programmers and tech geeks. But if you're not familiar about the stack, and you're interested in computer tech, take a look. Also the article about Rust stack & heap itself is really nice.
  • Excellent post curl vs wget, what's the difference? - Btw. I had no idea that curl can be used with such a huge number of SSL libraries. Yet I've found out the hard way that wget doesn't decompress gzipped payload. Which actually seems to be quite common complaint on forums.
  • Buggy software is just about everywhere all the time. Just noticed that Thunderbird shows UTF-8 correctly... Until you open the message in separate message window. As long as you're using 'preview' or 'reply' mode it's right. But if I just open the message itself, character set gets borked and UTF-8 double byte characters show up like those do, if character set isn't UTF-8. Great work, what a fail, once again. So, they can also fit in several bugs in their app. Just like I asked above.