Blog‎ > ‎

Summer reading 2014 memos

posted Aug 20, 2014, 8:57 AM by Sami Lehtinen   [ updated Aug 20, 2014, 8:59 AM ]
Here's a few comments, highlights and keywords / phrases from the books I've been reading during the summer:

Secure IPv6 Deployment book

DHCPv6 is defined in RFC 3315 , Dynamic Host Configuration Protocol for IPv6. RFC 3646 , DNS Configuration Options, defines options for configuring a list of DNS name servers and domain search lists. RFC 3736 , Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6, defines the subset of RFC 3315 that needs to be implemented for stateless DHCPv6. RFC 3898 , Network Information Service (NIS) Configuration Options, defines four options for configuring NIS services. RFC 4014 , Remote Authentication Dial-In User Service (RADIUS) Attributes Suboption for the RFC 4075 , Simple Network Time Protocol (SNTP) Configuration Option for DHCPv6, defines an option for obtaining a list of SNTP servers’ addresses.  (called M for managed and O for other) in Router Advertisements (RA). When the M flag is set to 1, DHCPv6 should be used for address assignment. link-scoped All_DHCP_Relay_Agents_and_Servers multicast address (FF02::1:2). All_DHCP_Servers site-scoped multicast address (FF05::1:3). Cryptographically Generated Addresses Cryptographically Generated Addresses (CGAs), also called Hash Based Addresses, Secure Neighbor Discovery (SEND) protocol RFC 3971 , and they have been proposed for use with the Site Multihoming for IPv6 (SHIM6) protocol. Host Identity Protocol (HIP). IPv6 such as OSPFv3 routing, mobility, and even neighbor discovery (see Section 5.4). explicit congestion notification (ECN), extended sequence numbers (ESN) and extensible authentication protocol (EAP). RFC 4430 Kerberized Internet Negotiation of Keys (KINK) IKEv2 Mobility and Multihoming Protocol (MOBIKE) RFC 5386 Better-Than-Nothing-Security: RFC 3173 IP Payload Compression (IPComp) RFC 2394 IP Payload Compression Using DEFLATE RFC 2395 IP Payload Compression Using LZS IP payload compression is especially useful when IPsec based encryption is applied to IP datagrams. Computer Security Incident Handling Guide,. DSTM (Dual Stack Transition Mechanism) Carrier-Grade NAT (CGN) and Dual-Stack Lite 6over4 6to4 ISATAP Teredo Protocol All of the tunneling mechanisms discussed above (6over4, 6to4, 6rd, ISATAP, Teredo, and IPv6 tunnel broker) tunnel IPv6 packets within an IPv4 network. DSTM does the opposite, tunneling IPv4 packets within IPv6. Using Application Layer Translation Three generic approaches to building application gateways are: RFC 2767 covers Bump in the Stack (BIS). The translation takes place in an endpoint, so IPv4 applications can run on an IPv6 host. The translation uses SIIT and maintains address mappings from an IPv4 address pool. BIS converts DNS AAAA records to A records. BUMP in the API ( RFC 3338 ) is designed to provide the same capability as BIS, but the translation occurs between IPv4 and IPv6 APIs, that is between the sockets layer calls and TCP/IP implementation. RFC 4057 , IPv6 Enterprise Network Scenarios, MACSec: A Security Solution that Protects LANS from Internal Threats.

A Complete Guide on IPv6 Attack and Defense!

Lastly, do not forget to join security mailing lists such as security focus and full disclosure, so that we can obtain an early alert when new vulnerabilities are found by researchers. ICMPv6 neighbor advertisement Secure Neighbor Discovery (SEND) A Complete Guide on IPv6 Attack and Defense! Smurf Attack Denial of Service As for the attacker, the exploitation and host enumeration techniques must be changed due to the large address space on IPv6. Reconfiguring the firewall and utilizing an intrusion detection system in order to detect, reconnaissance, enumerate, and scan must be done! Hauser, Van. (2008). Attacking the IPv6 Protocol Suite. Retrieved October, 8, 2011, from http://freeworld.thc.org/papers/vh_thc-ipv6_attack.pdf Hauser, Van. (2011). THC-IPv6 CCC-Camp Release. Retrieved October, 8, 2011, from http://thc.org/thc-ipv6/ Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology NIST undertook the development of a guide to help educate federal agencies about the possible security risks during their initial IPv6 deployment. This document provides guidelines for organizations to aid in securely deploying IPv6. Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. NIST This document is intended primarily for network engineers and administrators who are responsible for planning, building, and operating IP networks, as well as security engineers and administrators who are responsible for providing Information Assurance support. Anyone interested in deploying IPv6 technologies and related security implications may also find the document useful. Mobile IPv6 and OSPFv3 Mobile IPv6 (MIPv6) is Administrators of IPv4 networks typically can recall multiple IPv4 network and host addresses; remembering multiple IPv6 network and host addresses is more challenging.  It should be noted that there are no defined mechanisms for security or registration for anycast, nor is there a way to verify that a response to a packet sent to an anycast address was sent by an interface authorized to do so. This leaves open the possibility of impersonating anycast servers. Broadcast Addresses. Broadcast addressing is a common attribute of IPv4, but is not defined or implemented in IPv6. Multicast addressing in IPv6 meets the requirements that broadcast addressing formerly fulfilled.  IPv6, link local, site local, and global addresses were defined; later, it was realized that site local addresses were not well enough defined to be useful. Site local addresses were abandoned and replaced with unique local addresses. Unique local addresses (ULAs) may be routable within an enterprise. Use of unique local addresses is not yet widespread; see RFC 4193, Unique Local IPv6 Unicast Addresses, for more information.  A more generalized form of IPv4-embedded IPv6 addresses has been defined ( RFC 6052 ), to aid the process of automated translation from one type of address to the other. IPv6 address allocation is a work in progress. Organizations should familiarize themselves with 15 16 17 ARIN’s wiki contains general information about IPv6 as well as pointers to relevant ARIN policies. ICANN, Global Policy for Allocation of IPv6 Space. Direct Assignments from ARIN to end-user organizations and Policy Proposal 2005-1, Provider-independent IPv6 Assignments for End Sites. IPv4. RFC 3177 , IAB/IESG Recommendations on IPv6 Address Allocations to Sites, documents an ongoing effort to provide the latest information for the Internet community regarding current practices, status, and clarifications for IPv6 address allocations. Open Shortest Path First version 3 routing protocol An amplification attack, resulting in severe congestion and DoS, can be caused by a packet with a Routing Header containing multiple instances of the same address. Packets containing hop-by-hop extension headers must be analyzed at every node along the forwarding path, and can potentially cause a resource consumption attack. Extension headers can also be used as a ―covert channel‖ to hide communications between two systems, e.g., in Destination Options. To achieve secure IPv6 operations, it is crucial that network administrators and managers understand the design of ICMPv6 and how it functions. Managers In IPv6, all links must handle a datagram size of at least 1280 bytes, and the minimum recommended MTU is 1500 bytes. Multicast Listener Discovery (MLD). stateless address autoconfiguration (SLAAC). Interior Gateway Protocols (IGPs) are designed for use within an autonomous system (AS), that is, among routers that are all controlled by the same enterprise or organization. Exterior Gateway Protocols (EGPs) are designed for exchanging routes between autonomous systems, such as between network carriers or between a large enterprise and its network service providers. Open Shortest Path First (OSPF) is a link-state hierarchical Interior Gateway Protocol (IGP). RIP enhancements for IPv6, detailed in RFC 2080 , also known as RIPng, IS-IS is an IGP that advertises link-state information throughout the network to create a picture of the network topology. IS-IS is The authentication fields found in OSPFv2 have been removed from the OSPFv3 packet for IPv6, so MD5 is not an authentication option. OSPFv3 offers no integrity assurance features itself and relies OSPFv3 messages are vulnerable to replay attacks, which can lead to DoS attacks, Central Processing Unit (CPU) overload, and localized routing loops. TSIG, the Secret Key Transaction Authentication protocol is described in a fourth RFC ( RFC 2845 ). Several architectural approaches to IPv6 multihoming have been considered. These are described in detail in RFC 4177 : One example of site-based multihoming that is currently being considered within the IETF is the Locator/ID Separation Protocol (LISP)32. Protocol Independent Multicast— Sparse Mode (PIM-SM) ( RFC 4601 ), Denial of service attacks may use multicast to amplify bandwidth consumption or attempt to exhaust other resources. So-called reflector attacks may send packets with a source address of the target of attack and a multicast destination address, to try to get all multicast receivers to respond to the target. IPsec coverage for multicast is incomplete. The most important terms are: Mobile Node (MN). A node using MIPv6 to change its point of network attachment Home Address (HoA). The permanent, routable unicast address of the MN Home Link. The link on which the MN’s HoA is defined  Foreign Link. Any link except the home link Care-Of Address (CoA). A routable unicast address used by the MN on a foreign link Correspondent Node (CN). A peer with which the MN is communicating Home Agent (HA). A router on the MN’s Home Link with which the MN registers its CoA and which forwards traffic to and from the MN at its CoA Binding. The association of a HoA and CoA for a given amount of time Binding Cache (on HA or CN). A table of other nodes’ bindings and their lifetimes Binding Update List (on MN). A MN’s table of HA and CN bindings Unfortunately, many implementations of MIPv6 don’t support using IPsec between the MN and the HA, so they are vulnerable to man-in-the-middle attacks. IKEv2 is also not widely supported by these implementations. IPsec Security Policy Database (SPD) and Security Association Database (SAD). difficult. RFC 4285 , Protocol for Mobile IPv6 Authentication, describes a shared-key, lightweight alternative to IPsec for securing communications between a MN and its HA designed specifically for 3GPP2 networks. The MIPv6 HA is a single point of failure. Switching HAs requires detecting failure, finding an alternative HA, transferring state, and reestablishing security. Different solutions are possible: a MN could maintain connectivity with a hot spare HA, the HA could share state with backup systems, or the MN could, in effect, start over when a failure is detected.

Incorporate USA

Finished reading all documentation HCP Quant quantative investment fund (public) documentation

I did highlight loads of stuff, but I'm not going to quote Finnish text. I were mostly curious about fees, and how fees are calculated based on what, etc. What situations are favorable for fund so they can charge more from customers etc.

Validating Product Ideas Before Building Them

Oftentimes the core problem is that the entrepreneur has succeeded in solving a problem which no one has. You can try to find customers for a solution to a problem which no one has, but it's like pushing a piece of string. My favorite symptom of an unmet need for software is any Excel spreadsheet which is ever updated by one employee, sent to a second employee, updated, and then sent back. Every time that happens a SaaS angel gets its wings.

The Profitable Side Project Handbook

Profitable Side Projects This book is about creating profitable side projects. It isn’t about building the next big thing, and retiring on your millions in three years time after an acquisition by Facebook. Lean Startup concept of the MVP (Minimum Viable Product).

SaaS projects book

Mobile app stores (iOS & Android), web app stores (Chrome, Google Apps, Intuit and Force). Expensify offers simple expense reports to the end user just by scanning receipts. To the controller/VP of Finance, Expensify offers better compliance with spend policies, a huge challenge for most companies of any scale. Similarly, Salesforce offered easier to use CRM to salespeople and better metrics for the sales manager. Yammer offers employees a better communication mechanism to end users and offered the IT department compliance controls. Expensify focuses on users suffering with the greatest relevant pain: salespeople filing expenses. Salespeople are a great target community because they try new products quickly, are very vocal with their support or displeasure and are tremendous networkers. Winning their support means thousands of tweets/brand impressions like these monthly: The SMB and SOHO markets require a wholly new marketing approach that may seem counterintuitive at first, but when implemented well, can build very large businesses.

SaaS pricing book

SaaS pricing is a black art and other folks in the industry have suffered so you don't have to. Here's some of what we've learned that can, literally, 10X your revenue. Google Website Optimizer.

Good Data Analysis

Profiling your data early on helps to ensure your work throughout the analysis - you'll notice sooner when something is "off." In cases of Simpson's paradox, a trend appearing in different groups of data disappears when the groups are combined and looked at in aggregate. It illustrates the importance of looking at your data by multiple dimensions. I'd argue that no data is better than incorrect data in most cases. Make sure the base layer of your analysis is correct. Much like a good trial attorney, you need to think ahead and consider the audience of your analysis and the questions they might ask. Preparing you'll need to hold some assumptions throughout your work. These need to be explicitly stated when you're sharing results. Additionally, your stakeholders are crucial in helping you determine your assumptions. You should be working with them and other domain experts to ensure your assumptions are logical and unbiased. Check your work It seems obvious, but people just don't check their work sometimes. I can assure you that your audience would rather your results be correct than quick. I find it useful to regularly check the basic statistics of the data (sums, counts, etc.) throughout an analysis in order to make sure nothing is lost along the way essentially creating a trail of breadcrumbs I can follow backwards in case something doesn't seem right later on. Lastly, the whole process should be a conversation with stakeholders - don't work in a silo. In the end, remember that data analysis is most often about solving a problem and that problem has stakeholders - you should be working with them to answer the questions that are most important; not necessarily those that are most interesting. Interesting doesn't always mean "valuable." Principles of good data analysis 23 Mar 2014 Data analysis is hard.

Offshore Asset Protection for the European Community

Managing your economy

It's funny that nothing is enough for most of us. We waster our energy on subjects, that are absolutely meaningless.

Fantasy Tarsap

Stripe is on Enterprise, bam. Appointment Reminder is on Small Business, bam. Run a design consultancy? Professional, bam. Easy, predictable, fair pricing. a no-fault-terminate. DCI-PSS compliance, etc etc. Here’s what I’d tell a contract designer hired to re-do the Tarsnap CSS and HTML: “Competitors to Tarsnap include Backblaze, SpiderOak, Mozy, and the like. People who could make the decision to use Tarsnap might be familiar with and generally appreciate Twilio, Sendgrid, and Stripe.

TRIZ book

Why Learn TRIZ? People feel confident when they are developing solution concepts in familiar realms of knowledge and experience. Conversely, we tend to shy away from potential solution concepts which are outside While the ideas may have been very intriguing during the brainstorming session, the team goes on to develop those ideas that are within their range of knowledge and experience. A teacher cannot pour knowledge into the head of her students. Knowledge has to be created by the student and integrated into what he or she has already learned. We approach the ideal of “making what we can sell” rather than “selling what we can make”.  ARIZ SuField analysis, SIT (systematic inventive thinking) ASIT (advanced systematic inventive thinking) USIT (unified structured inventive thinking) JUSIT (Japanese version of unified systematic inventive thinking) TRIZICS (A methodology for the systematic application of TRIZ)

Pricing strategies, Dynamic Pricing, Time-based pricing

Kalzumeus posts

I once wrote an article about salary negotiation. If you go by the numbers, it created more value for more people than any other single thing I've ever written. (I keep a label in Gmail for when folks tell me they got a raise as a direct result of advice in there.

Enterprise Service Bus (ESB)

Enterprise Service Bus (ESB), software architecture model, service-oriented architecture (SOA), As a software architectural model for distributed computing, enterprise application integration (EAI). Resolve contention between communicating service components Control deployment and versioning of services Marshal use of redundant services Cater for commodity services like event handling, data transformation and mapping, message and event queuing and sequencing, security or exception handling, protocol conversion and enforcing proper quality of communication service. Enterprise messaging system. No global standard for enterprise service bus concepts or implementations. message-oriented middleware in combination with message queues as technology frameworks. Message Exchange Bus, enterprise application integration, The Information Bus or TIB, Software Bus, Information Bus, 1987 the first TIB, ESB is a modular and component based architecture. message queuing (MQ), Data consumers , active listeners, event messages, Subscribers, commodity, routing of messages, data transformations, compressing and encrypting data, transformation and conversion of multiple protocols. Delegation of protocol conversion, mapping and transformation, Event handling, event processing, Protocol conversion - Transparently translate between communication protocols (e.g., HTTP, FTP, REST, SOAP, JSON, DCOM, CORBA, SAP RFC etc.) Mapping -Transfer between tabular data formats staging (buffering) component that usually is implemented as a message queue and can be controlled and used by internal and external services at discretion. Temporary failure of services as well as being able to reschedule processing in case of a processing error of a service. Business applications, enterprise message model, ESB has to transform the message, software adapter, transport protocols, service mapping, Routing addressability, Mediation adapters, protocol transformation, service mapping, Messaging message-processing, message transformation and message enhancement, event processing event-interpretation, correlation, pattern-matching Other quality of service security (encryption and signing), reliable delivery, transaction management Management monitoring, Agnosticism general agnosticism to operating-systems and programming-languages; Message Exchange Patterns, integration with legacy systems, Security a standardized security-model to authorize, authenticate and audit, Transformation facilitation of the transformation of data formats and values, Validation against schemas for sending and receiving messages, Enriching messages from other sources Split and Merge the splitting and combining of multiple messages and the handling of exceptions, Queuing and staging queuing, holding messages if applications temporarily become unavailable or work at different speeds, lightweight service bus technologies, but there is often ongoing tension, Key disadvantages Increased overhead Slower communication speed, especially for those already compatible services, Enterprise Integration Patterns, Universal Integration Platform Enterprise application integration, business integration

Decentralized Networking

MaidSafe, TeleHash, ZeroTier, "Zero Configuration".

SQLite4-LSM

SQLite4 LSM Design Overview.

European Data Protection Handbook

The right to data protection, The European Convention on Human Rights, Balancing rights, Freedom of expression, Access to documents, Freedom of the arts and sciences, Protection of property, DATA PROTECTION TERMINOLOGY, Personal data, Main aspects of the concept of personal data, Anonymised and pseudonymised data, Data processing, Controllers and processors, Consent, The elements of valid consent, The right to withdraw consent at any time, THE KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW, 3.1.  The principle of lawful processing, The requirements for a justified interference under the ECHR, The principle of purpose specification and limitation, Data quality principles, The data relevancy principle, The data accuracy principle, The limited retention of data principle, The fair processing principle, Transparency, Establishing trust, The principle of accountability, THE RULES OF EUROPEAN DATA PROTECTION LAW, Rules on lawful processing, Lawful processing of non-sensitive data, Lawful processing of sensitive data, Rules on security of processing, Elements of data security, Confidentiality, Rules on transparency of processing, Information, Notification, Rules on promoting compliance, Prior checking, Personal data protection officials, Codes of conduct, THE DATA SUBJECT S RIGHTS AND THEIR ENFORCEMENT, The rights of data subjects, Right of access, Right to object, Independent supervision, Remedies and sanctions, Requests to the controller, Claims lodged with the supervisory authority, Claim lodged with a court, Sanctions, TRANSBORDER DATA FLOWS, Nature of transborder data flows, Free data flows between Member States or between, Contracting Parties, Free data flows to third countries, Free data flow because of adequate protection, Free data flow in specific cases, Restricted data flows to third countries, Contractual clauses, Binding corporate rules, Special international agreements, DATA PROTECTION IN THE CONTEXT OF POLICE AND CRIMINAL JUSTICE, CoE law on data protection in police and criminal justice matters, The police recommendation, The Budapest Convention on Cybercrime, EU law on data protection in police and criminal matters, The Data Protection Framework Decision, More specific legal instruments on data protection in police and law-enforcement cross-border cooperation, Data protection at Europol and Eurojust, Data protection in the joint information systems at EU level, OTHER SPECIFIC EUROPEAN DATA PROTECTION LAWS, Electronic communications, Employment data, Medical data, Data processing for statistical purposes, Financial data.