Blog‎ > ‎

Privacy, Etags, TLS 1.3, Nearline, Distributed, SSDs, BI, FIDO U2F, Python, Subspace, CMMI

posted Mar 14, 2015, 11:25 PM by Sami Lehtinen   [ updated Mar 14, 2015, 11:26 PM ]
  • Android privacy email address autocomplete privacy horror. Why are programs often written by so poor programmers? Why is everything stored the application sees and you can't even remove that information.
  • For some reason it seems that CloudFlare converts all Etags to Weak Etags. So even if I set strong Etag when the browser returns the query via CloudFlare it now contains W/ prefix. If I drop CloudFlare and do same stuff directly, then Etag is strong ie without W/ prefix.
  • My brain hurts, had again a few discussions about what's the difference between GiB and GB, what's Gbit and what's the difference between bit and byte
  • Had a few discussions about cost based vs value based pricing. Cost based model is always bad.
  • Reminded my self about TLS 1.3 and AEAD - KW: TLS handshake, TLS session resumption, TLS False Start, TLS record size optimization, Early termination, OCSP stapling, HTTP Strict Transport  Security (HSTS), CCM, EAX, OCB, GCM, AE, MAC
  • Signs that you're a bad programmer. I really liked this article. - Found out many issues. Smile. Especially being in hurry as well as avoiding overhead by putting something where it doesn't really belong. Depends from project size and scope, if that's Okish or really bad. Of course if required you can come back later and clean it up. - There's also clear difference between if it's done as temporary prototype code or if it's planned to be something more permanent. - Especially "do what ever it takes" to make it work right now, without researching topic sounded pretty familiar for quick prototype testing code. Why write perfect prototype code? If it won't work out it's getting discarded anyway. As well as adding temporary unrelated features to existing application to avoid the overhead of starting a new project. Smile. - It's important to know how these should be done, if it would be worth of it. - Also the Pinball Programming made me smile really much. But that's one of the symptoms of the previous stuff. If you're writing program that's going to be probably run only once in production, how much time you should waste to document and fine tune it. If it runs once and produces required results, that's it. - Yet similar code in more used programs is 'fatally flawed' and making everyone else life hard. - Anyway the Symptoms list made me smile so hard, there's just tons of stuff there which we all have seen several times, awesome! - I don't want to say anything about the "Unfamiliar with the principles of security" section, because it would be just way too horrible. - But the good thing is that the list was completely familiar and didn't bring surprises. It's just that in some cases there's decision to knowingly ignore some rules for temporary stuff. 
  • People who claim this temporary ignorance is bad, are doing it wrong them selves. Why to make mold and cast it from bronze, if quickly cutting it with knife from styrofoam does practically the same job? Cutting corners when it's suitable is also perfection. Over engineering can be really expensive. Actually Mythbusters are also pretty good at cutting corners, how to make something that works with really limited resources, even if they have been lately using pretty large resources.
  • Something different: BrahMos, Durandal, NRO, DigitalGlobe, Gravitational Wave, BICEP and Keck Array, Disc tumbler lock, Lockwiki, KW: Keyhole, Hexagon, Topaz, Crystal
  • Reviewed source code of one OpenSource project and immediately found two serious bugs. Well, it's good that open source code can be reviewed by anyone. kw: code review, bugs, fixed, python, reviews, commit, patch, fix, bug, git, github, pythonista.
  • Google Cloud Storage Nearline -
  • Checked my SSD wear leveling data, block erasure information and total amount of data written and health. It seems that now when the SSD drive has been used for 1,5 years. It's life status is about 99% left. Which means that I don't need to be particularly worried about 'burning out' my SSD. I highly doubt that current SSD hardware will become obsolete in less than 100 years. Of course there's a little problem of my personally expiring before that happens too. ;)
  • Found nice trap from one Python project (not my own this time), they used 'is' word to compare two values. But there's a big trap with that in Python. 1 is 1? Ok, 1 is 1+1-1 that works out. But the code used is on totally wrong places. Because if you use is instead of == it's really bad habit because when values get large enough, it's going to fail. And large doesn't really mean lager on Python int scale at all.
  • There's no now for distributed systems KW: Google Spanner, FLP, CAP theorem, GPS, NTP, Paxos, ACID, Strong Eventual Consistency, Apache Zookeeper
  • Goodbye MongoDB hello PostgreSQL - Key Value storage, JSON indexing, performance, reliability, correctness, consistency, sql, nosql, schemaless, replication, sharding, sharded, distributed.
  • Lol, one unannounced organization got Cryptowall on their server and it also encrypted backups. So, backing up to media which is connected all the time to the system isn't a great idea either. Like I have said, there should not be option to delete or access earlier backups, just send more delta data.
  • Yet another SSD endurance test - I'm heavy user and I've been writing about 1 TB / year to my SSD. So again, I think the drive will become obsolete in less than 100 years, so the actual endurance doesn't matter. Some of the tested drives lived up to over 1 PB of writes.
  • Checked out payment & identification solutions: RuPay, Aadhaar, China UnionPay, JCB, American Express, Diners Club
  • Re-read: ext4 and btrfs man pages, studied Bluetooth 4.2 smart.
  • Several BI articles, kw: data virtualization, etl, web services, soa, esb, information as a service, CIO, CDO, nosql, hadoop, sql, Gartner, SAS Institute Federation Server, SAP Hana, SQL Server Information Services, IBM InfoSphere, JBoss, Composite Software, Informatica, Cisco Data Virtualization Platform, Dendo, Dendo Express. Thoughts: Maybe I should try Dendo Express to see what it really can do.
  • I've been wondering why payments and identity businesses are considered to be separate businesses. Basically payments are just application of identification. Technically all this stuff is just so simple, when you got the primitives right. For primitives I mean public key stuff, which already exists in easy to use libraries like NaCL. - http://nacl.cr.yp.to/ - When you can identify the user using public keys and users can sign tokens using their private keys and you can verify those using their public key, what's so hard? It should all be technically trivial. The whole problem comes from the ecosystem, are solutions supported? How easy those are to use? Are there any transaction fees, who's managing the trust network and so on. Is it easy to use without mobile phone, easy to use without computer, can it be used without the users authorization and so on. So after all it turns out there's no simple universal easy to use or cheap solution after all. That's the reason why market is so extremely fragmented. Worst part is to get national laws to accept authentication solution. If they used this solution to make a contract can it be enforced legally?
  • Checked out Hypersecu FIDO U2F Security Key - And their blog  
  • Python internals and things you just need to know.
    >>> 256 is 256-1+1 # This will match
    True
    >>> 257 is 257-1+1 # But this won't anymore.
    False
  • If you don't know the environment you're developing for, your code can contain very serious bugs which are hard to spot, because you don't understand the mechanism causing those. Just like the case where ASP int() worked like floor of most languages. Always rounding "down" even with negative numbers, so -1.1 becomes -2. As well as my fail with Peewee SQL where I didn't realize that not True doesn't match with None.
  • Let's see, there's updated version of Subspace documentation - I also had chat with the author 'ctpacia' about this topic.
  • Had a training about CMMI project management, product managing web sales channel, Kanban, Lean, Scrum, Business Model canvas, KanScrum, analyzing program usage situations and documentation and using this information to improve software products.