Blog‎ > ‎

Project management, SMTP STS, HTTP PKP, Cloud Storage, Personnel Security, Rubezh

posted May 25, 2016, 8:00 PM by Sami Lehtinen   [ updated May 25, 2016, 8:01 PM ]
  • More projects with tight schedule, but nobody knows in detail what should be done. We need the system to work by the end of month. Well, what does 'work' mean? Well, that we don't have any problems and it works. - Ahh, project management and planning as usual. Actually this isn't just one, there's actually quite many of these open right now. Depending from circumstances, this can be a great or very bad thing. Anyway, with my experience, these things can be managed, but often it means that the schedule has to give, because it's hard to get stuff done, if nobody can tell what needs to be done. As well as it sets great ground for arguments like if the project failed. If we don't know what the goal and requirements for the project are, how we can define if it failed later? I know the customer always tries to blame the software supplier.
  • SMTP Strict Transport Security (STS) - Yeah, it makes sense. Basically I've had all that, but it requires me to manually configure domains which are strictly checked, like my friends servers and gmail and many other services. But truth is, that MOST of email servers which DO support TLS actually still use self signed certificates. So that's the reason why I just couldn't enter blanket term to require valid TLS certificate from every server. Also self signed certificate actually isn't a problem, as long as the server administrator has confirmed with me the public key fingerprint. I've written several blog posts about this. Yes, email IS secure, it just requires you to configure your server to work securely with certain domains. This meechanism would automate the process. This is very similar to HSTS solution, naturally. KW: TLS, SSL, SMTP, DANE, TLSA, DNSSEC, HPKP, TOFY, CA, DNS, TXT, DMARC, webpki, sts-uri, sts-record, CN, MX, RFC.
  • Public Key Pinning Extension for HTTP (PKP) - Sure, that's logical extension to what HSTS was. KW: Public-Key-Pins, max-age, pin-sha256, includeSubDomains, Security Considerations, IANA, Super Cookies, Google.
  • Duplicati is open source backup application. It could support BackBlaze B2 Cloud Storage. It would be nice. Anyway, I personally would opt anyway for European service provider like hubiC. But I'm sure there would be people whom would love to have B2 support.
  • Watched one video where they talked about security etc They had 'passive' security personnel everywhere. I don't know if it's just me. If access to spaces is highly controlled, what's the point of having security staff everywhere? Security staff is probably the least paid group in that building and they might not have any interest at all in what they're doing. I mean it's highly unlikely that people who are very keen at what they're doing ends up doing something bad. As well as if they don't have any economic incentive because they're paid enough and they've got what they need and more. Also the key personnel is very buy doing what they're supposed to do. They don't simply have time to do something they're not supposed to do if they have a lot of slack time. But the security and cleaning staff probably isn't in the same group after all. As well as they're kind of 'invisible staff' for the people who do matter or manage the operations. Not going to mention sources, but my experience is that cleaning & security staff might be one of the largest risks on certain environments. - Yet it might not be optimal situation if you get caught as security guy from stealing, hah. But the compared career loss to losing your guard status compared to some other occupations which might require tens of years of experience isn't nearly as high. I'm sure there are places where this risk is very acknowledged, but I guess it isn't in many places. Work might be also subcontracted o many levels, so nobody's even sure who's the actual person having the access and doing the stuff. Why? Well, because it just doensn't matter, until it does. - Very important part of proper personnel security management (PSM) process as mentioned in ITIL. - As in retail market it's old known fact, that customers steal 50% of the stuff lost and official staff aka employees steals the remaining 50% roughly. I of course don't mean this would be the case always. I'm sure there are also very vigilant and extremely dedicated and serious security staff, but the risk is out there. - Isn't it so that if you're not very serious about your job, you shouldn't be working there in the very first place? Applies to many other things than security too. What if the low paid security guy gets a million just for picking up that hard drive and dropping it for someone? Small task for him but still big bucks. I suspect a lot less than a million would get that easily done, especially if you pre-study employees and pick one with money problems.
  • Something different, checked out RS-26 Rubezh which supports MARV and MIRV. Just wondering when some more aggressive and hostile countries can develop technology like this. Hopefully not too soon. - Yet it could be a story for a agent movie if someone would sell such missiles for highest bidder. Because I'm pretty sure some entities might want to prevent such sale from happening.