Blog‎ > ‎

KeepassX, Skip Lists, Flash Sector Size, Let's Encrypt / SSL / TLS, SaaS Startup

posted Jun 18, 2017, 1:27 AM by Sami Lehtinen   [ updated Jun 18, 2017, 1:28 AM ]
  • KeepassX 2.0 got serious security issue. No it's not about encryption. But it's about user error and not warning about it. It's nice that new password option now required accept click, before old password is replaced with new one. But the another serious issue is that when removing entries from password storage there's no warning about it. Let's assume I've got two applications open Keepass and Email or File Manager. Now I do something, someone calls me. Ok, the file or email is highlighted on screen I want to remove. I just hit delete. Oh, didn't work. Let's re-click the item and delete. Phew now it worked. But at the same time, I managed to delete one key entry from Keepass. From software engineering perspective, this is of course 'invalid user error'. But as we all know, most of people do mistakes. It would be so nice to get option to prompt for entry removal and not just silently dropping it. - Bug, no? - Stupid user, yeah sure. - Potential problem, probably yes. - But this is just so typical for some errors, it's not an (software) error, but it still might cause serious problems. Good design and warning might mitigate this problem.
  • Very nice article about Skip Lists: Done right - But in general, it's bad idea to reinvent the wheel. Sometimes I dislike tons of dependencies and bloat those bring. But in other cases, it would be insanity trying to replicate something which is already well implemented. Changes are that your own implementation is going to be orders of magnitudes worse than the alternate implementation are very very real. In this sense I'm extremely happy about the CLOCK-Pro (PyClockPro) implementation, because it's only marginally slower than LRU even if it's pure python and provides higher hit ratios than the native LRU cache implementation in standard library. Which is actually pretty surprising. I didn't expect that good performance at all. Implementing something like Skip Lists yet can be excellent exercise. There are reasons why many languages implement dequeue, hash tables and dictionaries by default. Also the stdlib is one of the reasons why I love Python so much.
  • I'm just wondering when some Flash / SSD vendors are talking about smaller allocation units that if the operating system will actually ruin everything. If there's even SSD with 512 sector size actually available? What's the benefit? Will the operating system issue minimum of 512 bytes write requests when OS is using 4096 cluster / block? I mean if I read 4096 byte cluster/block and then update one byte in it and write it back. Will the operating system issue to the SSD 4096 bytes or 512 bytes? Probably it doesn't matter, but with large number of small updates it might still reduce write amplification by 8x. I tried Googling around, but I've got no idea. Of course SSD can also internally do the read-modify-write so that it only modifies the changed 512 bytes or even less, there are many optimizations which can be done. Another reason for this question is of course the SATA channel utilization. If I've got really fast SSD and I'm delivering small random write updates, less data means less utilization on channel and more IOPS. There' just so many postings about file systems and operating systems, but this kind of simple question doesn't seem to be covered by most of the articles. My guess is that the cluster/block is the minimum 'update' unit. Yet this brings the question up, why some vendors boast about 512 byte sectors, if it doesn't really matter if the sectors are 4096 or 512 bytes.
  • Configured two systems to use Let's Encrypt. One with Windows 2016 Server with ACMESharp and another on Ubuntu 16.10 (Yakkety Yak) with official Certbot. Of course using automated renewals as recommended every 60 days, at random time + automated retry in case of failure.
  • Bootstrapping a SaaS Startup - That's a pretty good quote: "If You Love Writing Code, You’re Going to Hate Running a SaaS Business". I can honestly say, I like tinkering interesting tech stuff and coding. And don't like so much all the administrative / management tasks which are dropped on you. I'm also bad at marketing and human relations. I just don't care enough about that stuff. But I guess that's nothing new. There were several aspects about sending email etc.
  • I do agree about that. I've tried MailChimp, MailGun and SendGrid. But because I'm nerd, I don't see any problem running my own MX. Actually that's one of the projects, which I might upgrade in fail. Replace the current system with new one, don't know yet which one.