Blog‎ > ‎

Minio, SQL Server 2016, Hack, FaaS, Asking Questions, ISP=CA, Data Security, Serial Flow Control

posted Oct 8, 2016, 1:35 AM by Sami Lehtinen   [ updated Oct 8, 2016, 1:36 AM ]
  • Checked out Minio.io Minio Cloud Storage. Which is Amazon S3 Compatible. Nice, yet, unfortunately I don't have time to play it. Just gave a few glances at the documentation.
  • Installed a few MS SQL Server 2016 instances to play and test stuff with. Of course also use SQL Server 2016 Management Studio (SSMS) with it.
  • The Dropbox hack is real - A really nice post by Troy Hunt about The Dropbox password leak / hack.
  • Checked out a couple of Function-as-a-Service (FaaS) services.
  • Julia Evans Asking Questions - Sure. We've all been there. Strange edge cases, digging deep why something works as it works. Why something 'random' isn't as random as you think You just don't know what the trigger is. As being said, tech is so deep stuff nowadays that you'll NEVER know nearly enough. Everyday you'll need to learn more and more stuff. After doing this for decades, often when people claim something is surprising, it actually isn't. It's just the usual case, in maybe bit different context. Most often it's not nothing new at all. Memory leaks, race conditions, some strange way to trick program to do something unexpected. All being just so normal. Yes, it might be a 'bomb' in a high profile program. But in general, it's just yet another normal design or implementation bug, and therefore nothing particularly interesting. Kernel user access elevation fail via some other bad code. That's actually why it's very important to study the most common fails, because those are the fails, you're most likely going to encounter. Over and over again. It's quite rare that you'll actually find something which you can define interesting. As well as for more experienced guys, that's the business as usual.  You said you found something new? Actually this fail category has been documented several decades ago. What's the new part here?
  • I just realized my ISP is also globally trusted CA root authority. Which means that they can trivially on the fly to forge any HTTPS certs and do MitM snooping for their customers. Don't trust HTTPS / SSL / TLS certs, those are just major scam.
  • Anyway, data security is something nobody actually want. Most of people see it just as a source of so much trouble. And that's something I can agree about. Similar policy of course applies to all other security. Data security isn't "separate field", it's just slice of the pie. So many systems are just fundamentally totally flawed by design, that it's almost utterly pointless trying to fight against that.
  • Many seem to prefer plain text over network, because the HTTPS SSL / TLS stuff is so complex and hard. But I guess this topic is like that passwords, shared secrets, authentication etc. It's all been covered over and over again. Nothing new, all the same stupid discussions over and over again, and yet no solution. Things are just as they are, and maybe it's better just to accept it. The flaws of the system are well known, and when somebody or someone exploits those, it shouldn't become as a surprise to anyone.
  • About "new problems". One guy said that he's experiencing data loss. After quick check I found out that he was using high speed serial link without flow control. Well, what would you expect. High speed link, slow devices and no flow control. Isn't that kind of stupid to complain about data loss. It's something everybody should immediately expected when not using flow control at all. Just please enable Software Flow Control, Data Terminal Ready or RTS, CTS and RTR. Check configuration on both devices as well as make sure that the cable pins are connected correctly. It isn't that hard after all. It's just so common to see even mis-connected cables or mis-configured devices, that this is all totally expected behavior unless you've verified all related details.