posted Sep 30, 2012, 7:08 AM by Sami Lehtinen
updated Feb 4, 2014, 9:14 AM
- Updated and enabled mod_spdy for my server s.sami-lehtinen.net, now it seems to work without segfaulting.
- Studied water treatment and purification systems & methods of getting safe drinkable water in case of crisis when water network is unavailable. Mapped possible near by alternative water sources.
- Last Friday I enabled automated monitoring for web, sql, mail, backup etc servers. Now I get automated alerts if something isn't working as expected.
- Fully automated secure backup system has been now running perfectly for a few weeks. Daily, encrypted, off-site backups, with monitoring system (mentioned earlier) which alerts us, if backups aren't up to date. Backups are created using Duplicity, which is quite nice backup tool and supports multiple cloud services. I have also made several restore everything tests and I'm very happy with current situation. Earlier I updated generic home backups only monthly, a few key files were backed up when ever updated. But backing up everything daily is much better solution. Some people complained that it's slow to restore data from cloud. Yeah, we do have local backups too. Off-site backups are just for the worst case scenarios. In normal situations data can be restored from local backup. But if site has burned down, flooded or earthquake (not really likely in Finland) or airliner destroys it, we still got our data safe and sound.
- I'm waiting for SHA-3 competition winner to be announced, it seems that there aren't any official news yet. I assume that after a while some applications might implement Skein even if it's not chosen.
- Played with Web Sockets (Python & read specifications again). Arr, too complicated for most of light weight apps. Google's Channel API is much simpler, and makes it really easy to pass small amount of data to client. (Yes, it's only one way method.) It's not full featured as web sockets, but it's enough and much simpler to use. I hope there will be great websockets library, which hopefully will hide all complexities from developers also while maintaining security. But in generic terms websockets are just hideously complex thing. As I said, I still very much prefer simplest solution which will full full known future requirements. Here's also nice article about websockets.
- Coursera / Stanford Crypto course is quite challenging.
- Checked out again Mozilla Persona (ex BrowserID) and I still don't like it. If it would be any PKI / challenge based syste, with random ID it would be ok. But because it's tied to something old and funny like email it's simply bad. Because now your account security rests on email providers security, which is notoriously bad. I just wrote what's wrong with Yahoo Mail, and I'm sure there are many worse than that email providers out there. It's absolutely horrible to first create high security systems with encryption and then allowing bypassing those by having access to one email address. Doh! I just don't get it. Persona / BrowserID details.
I think it was in Donald Duck where Beagle Boys tried to hammer safe door open. They found out that they couldn't crack / open the door. But when they finished their attempt with the door, they noticed that all the walls of the building had crumbled around the door. Yep, that's the way. Huge 20 ton front door, and then there is basic home door behind the building for staff and people who have forgotten their password to pass through the front door. That is exactly what it is. This also applies to all password reminders and other absolutely ridiculous person identification backup schemes. With some sites it's also impossible not to give password recovery information and some sites do not accept anything good as password recovery key. If password is 20 characters of random (about 120 bits of entropy) then password recovery key should be 40 characters or bytes (80 chars of hex in hex encoding9 of random data with high entropy. But is my dead dogs name comparable to that key strength? I don't think so.
I would love to see solution which provides strong anonymous authentication. Well, as I said earlier, TOTP is one way to do it. Except I would prefer longer auth key than 8 digits.