SSL, Surveillance, Creeping Normality, HTTPS, OVH, Google DC, Subnets, Bug

• Once again, had long and boring discussion about HTTPS self-signed versus HTTP. It seems that many people believe that HTTP is more secure than HTTPS with self-signed certificates. Thanks to misleading warning messages.
• Read long article by EFF about usage of face recognition on airports , travel etc, and how you can't opt out for it (as a international traveller). Well, that's quite expected development unfortunately.
• Creeping normality and Normalization of Deviance (Diane Vaughan). Is so normal in organizations. Because we've got defence in depth, it doesn't matter if this stage X doesn't work. And when this policy is applied on every stage then the failure is just guaranteed. SWIM someone who isn't me, is taking care of this situation. And normal in software development, it doens't work, so what, it's totally normal and expected that it doesn't work. Or did you really expect it to work + laugh.
• The edge protection system also records positive data about current permitted usage IP addresses and networks. Benefit? In case of serious attack, it's trivial to reverse the rules. Gray traffic will be blocked, instead of allowed. This is the case, where it's very beneficial to have positive rating history data, instead of only collecting negative rating data. Of course this will block some allowed traffic probably, but it's still much easier to build whitelist when you've got good background data. Default allow -> default deny / reject approach.
• HTTPS Everywhere @ Wikipedia, just wondering where it stores it's data. I'm kind of annoyed that it's so hard to pinpoint the location. I have to run a few tests to be sure, if there's some hidden data storage. If it works as it seems to work, they're once again doing something they shouldn't. Storing hidden data about sites you're accessing and you can't modify or see the stored data. I kind of particularly hate this class of applications / software. Which are doing something behind my back and storing it for eternity.
• OVH is so full of it. Wrong invoices, terminated services being invoiced, refund taking months and so on. Once again their performance is so absolutely devastatingly poor, that it raises question if their true intent is only to sabotage and annoy customers. Also their customer service and helpdesk is truly helldesk.
• Google's Data Centers 2019 (YouTube Insider's Look) - A nice talk about Google infrastructure and data centers.
• Wondered for a while about subnet 100.64.0.0/10, which is a private scope and reserved IP address for - Carrier-grade NAT (CGN / CG-NAT / LSN / NAT44 / NAT444) - RFC 6598 .
• Interesting issue, it started again as a classic long discussion it's a bug or not. All the areas were covered, is it bug (error in implementation), or is it invalid specification, who's responsible for specification, why didn't the test cases cover this specific case and so on. After all, it was issue which was outside of the original design scope and therefore it wasn't included in any of the tests and technically the code worked exactly as specified, so at least it clearly wasn't a bug. Well, issue was quickly identified and fixed and customer was happy, that's the most important aspect. From technical perspective it's hard and expensive, to make testing suite for custom code, which would include all possible (and impossible) use cases. Some guys said that testing should have caught the problem, well no. Because the problem was there only because the data fed into system was outside what was specified to be possible. - Yet it did't crash the system and cause DoS, even if that would have been technically possible. If the message would have exploited this issue and source code based knowledge, how to change the issue from it's current occurrence to maximum impact which would have crashed the process. Now both paths have been closed, initial issue is fixed, by modifying code (it's not a bug fix! It's a change) and the case which could have crashed the process has also been fixed and it emits a log warning about unexpected data structure.

2020-06-28