Blog‎ > ‎

Telegram, Karn's Algo, Grumpy, Layered Sec, 5 GHz WiFI/WLAN, Shimming, 0-RTT, Let's Encrypt

posted Jul 29, 2017, 10:09 PM by Sami Lehtinen   [ updated Jul 29, 2017, 10:10 PM ]
  • Telegram account deactivation usability fail. You receive link to deactivate your account over Telegram. You click link. They ask for phone number. Then they send deactivation code via Telegram. You open the chat to pick up the code... And can't return to the code entry window. Ok, you can re-open the link, and it prompts again for phone number ... Sigh, endless loop ... Actually I didn't try if the deactivation code is static. So basically you could use the code you received and phone number to activate the deactivation. But usability things like these are just so so annoying. Users need to figure out how to 'workaround' the bad usability to get things done.
  • Telegram login security fail. I just hacked Telegram production servers. Or they've got really stupid bug / configuration fail with their servers. Go figure! Hahah. "We detected a login into your account from a new device on ##/01/2017 at ##:##:## UTC. Device: Web Location: Unknown (IP = 10.96.98.136) - The Telegram Team". If you missed the point, study this.
  • I just can't understand some managers. They love meetings, even if there's no value whatsoever related to the meetings and a lot of money and time is lost on travel. How about using let's say 6 days, to get something done. Instead lost on international travel and having 'high level' meetings which won't produce actually anything at all. - I guess everyone got their own style. But I prefer focusing on the things which do matter and produce something substantial.
  • Karn's Algorithm - Good old stuff. Here's great example how naive implementation of algorithm can lead to not so fun issues.
  • I would have liked to publish the firewall automatic management scripting packet as open source. But unfortunately it's work project and therefore employers intellectual property. - Made lot of small improvements in a few days. Now it's absolutely awesome to use and configure. Just set some basic parameters and let it run.
  • Basic stuff: SAML2 integration, OWASP top 10, classic 'SAP Integration' blanket integration request. Different talks about NFC and smart token identification. As well as AD based in application access control. All very generic stuff.
  • Grumpy - Python in Go - Neat! Gotta try that at some point, when I encounter situation where I believe it would be beneficial.
  • Layered security? Saved encrypted blob of data in encrypted database in encrypted archive in encrypted file in encrypted file system on encrypted disk. That's total of six independent layers on encryption. Is my tin foil hat too tight?
  • Great technology again. Sigh! 150 Mbit/s 5 GHz WiFi /WLAN throughput is 33 Mbit/s. And 72 Mbit/s 2.4 GHz WiFi/WLAN throughput is 55 Mbit/s. Graah! But why? Someone claimed that 5GHz would be faster, but actual throughput is lower. 2.4 GHz WiFi also provides lower latency than 5 GHz WiFi. Even when 2.4 GHz is using 20 MHz bandwidth and 5 GHz is using 40 MHz bandwidth. Also tried ~5.2 and ~5.7 GHz frequencies, didn't make any difference. KW: Mbps, MB/s, speed, performance, wireless networking, fail.
  • Shimming was finally success. I had to buy right kind of thin stainless steel. Make some edges round, and make it J shape, so it's easy to operate. Many plastics aren't hard enough. Aluminium cracked too easily under tension and fatigue from repeated bending. But this new tool worked easily, quickly and on first try. Also aluminium tool also had sharp edges, which were pretty bad for hands and might leave markings which would give the attempts off.
  • TLS session 0-RTT implementation and security. Early data might be snooped by stealing session key. Replay attacks are also concern. So classic replay attacks. There should be replay attack protection on application level. TLS doesn't provide it. One way to work around it, is to reject 0-RTT data on certain important messages. But it's almost guaranteed that some developers go and forget that. Early data flood resource consumption attack. Performance optimization vs security trade-offs.
  • Donated money to Let's Encrypt. For better global and free Internet security.