Poka-Yoke, HTTP/3, HTTP/2, POODLE, Auth, Spy Museum (Berlin)

  • Poka-Yoke - What an excellent concept. This should be so true with software as well. Way too many systems are absolute traps. If anything is even slightly off, everything seems to be working, no warnings, but total disaster is guaranteed. As example, if system is mis-configured so that it's totally insecure or leads to data corruption, how about requiring users to confirm this at least once. Like with dangerous operations on command line --force or something similar is often required. Unfortunately this remains to be common issue with software and many processes. No warning flags, but destruction and mayhem is guaranteed from even slightest configuration mistake in complex system, no fail protections in place whatsoever. Very closely linked to defensive design. In normal software design, the plug sample from defensive design article would lead the user to be electrified to death, because they connected the socket incorrectly. Because now the ground (and or 0) and phase are incorrectly connected. Also see defensive programming. Sometimes I feel that software is designed to be some kind of prank show stuff. It's full of traps, and we're just waiting to see which ones you're going to trigger. First you'll get hit by the bucket of water above the toilet door, and then you're going to use the hair drier full of talk, towel is covered with honey, hot water is disconnected from shower and list goes on. Offensive programming isn't as offensive as it sounds.
  • HTTP/3 explained - Thank you for this. Yet not in a sarcastic way this time. Lovely!
  • Hyper HTTP/2 Client for Python - Studied, played and tested the Python H2 client. Tried parallel streams with my test server RESTful JSON API. Also checked out the Hyper-h2 a pure-Python HTTP/2 protocol stack, which will allow easy implementation of stand-a-lone server side code if and when required. In quick testing I found several issues, like sending plaintext requests to HTTPS server, failure to negotiate H2 on servers which do support H2 with cURL and so on. It's quite clear why this is alpha library. Also H2 connection failed with Cloudflare and Google, which both should support H2 and perfectly responded with the HTTP/2 protocol when using cURL. Seems like that I'll be retesting this library again when I actually do need it, not earlier.
  • Zombie POODLE and GOLDENDOODLE - TLSv1.2 vulnerabilities which can be avoided using TLSv1.3. Immediately checked our services and no problem whatsoever, first of all only TLS1.2 and TLS1.3 are supported as well from cipher suites only EECDH CHACHA20-POLY1305 and EECDH AESGCM are supported. Which basically means that the attacks won't work at all and old school CBC cipher suites are excluded. Also CCM modes have been rejected for a long time as being really inefficient. With some older servers there were problem of using OpenSSL 1.1.0g version, which doesn't contain support for TLS13 cipher suites.
  • Had once again a long long discussion about authentication with colleagues and how many issues it resolves. Primary problem is once again, fragmentation and lack of trust. Even if there's plenty of technologies available, those aren't being used. Many quirky and non-secure workaround solutions are actually being used, like "secure email". Proper E2EE with trusted signed authoritative private keys. Nothing new, all this has been available for decades, but it's still not being used.
  • Visited DDR and Spy Museum Berlin, well, needless to say, the art of propaganda, communication surveillance and controlling dissent and what's true and what's false is age old matter. No, I didn't mean 2000+ years old, I did mean much older than that. Lots of old radio equipment and spy gadgets and of course age old methods of covert and secret messaging.
  • Something slightly different? The Iridium NEXT constellation is finally ready. Awesome. Carrying ADS-B receivers for Aireon and providing global air traffic location information (only for equipped planes of course).

2020-04-26