Blog‎ > ‎

Topic mega dump 2015

posted Jan 6, 2015, 10:44 AM by Sami Lehtinen   [ updated Jan 6, 2015, 10:44 AM ]

Start of 2015 topic mega dump. Unordered random stuff. Just leaving it here.

  • Wrote a tool which checks if database replication is working as it is supposed. If there are any differences, detailed reports are generated. I just wonder, why anyone hasn't done this before. This is just the usual situation. Developers claim that everything is working, Operators say that no it isn't working. Nothing is done and problem goes on for years. Even if writing additional tool to check and automatically document any problems would be trivial. Been there, done that, just so many times I can't even count it with longint. 
  • Had to deal with CERT guys. A few servers got hacked, and what did they use the hacked servers for? Of course for hacking more servers. Then I found log list containing administrative account credentials for a few hundred Windows servers. Which all seem to nicely respond to 3389. But I didn't dare to login without Tor, so I didn't actually try any. 
  • Experienced a few stability issues with OpenBazaar and it's ZeroMQ implementation. Client might crash or hang and requires frequent restart to work reliably. Can that be even called as work reliably due constant restarts, duh! It also seems that they have some problems with peer and connection management. System might make ~100 parallel TCP connections to same node as well as constantly keep 100+ "half open" SYN_SENT connections to peers which never respond etc. I've also heard reports about DHT routing table and peer information not expiring in reasonable time, causing a situation where "gone" peers are being attempted to get connected over and over again, even if those are gone. With networks like OpenBazaar which got naturally high node churn, this isn't good behavior. If network would be bigger, this could be easily used as attack tool toward smaller TCP based services.
  • Wondered Administrators who install RAT remote access tool, without password. Lol, yes, it's very handy. Anyone anywhere can connect and do what ever. It's also especially good idea to install the RAT using System account, so you can easily also reset Administrator account password remotely, in case you happen to forget it. 
  • There was long discussion if data should be stored in database or as files? Well, if you really think about it. As far as I know, a file system is just a hierarchical key value storage. It's no different from standard dictionary implementation. You can store dictionaries in dictionaries, called directories and then you can access keys which are file / directory names and content is what it is.
    Just as FTP doesn't have to do anything with files. Nor http with pages. Anything can be relayed / mapped over anything and encoded inside it. Many ERP related FTP servers actually do not handle files. They server data blobs from database, just as I said earlier, file system is database. There's no way actually for the user to know, if the FTP server handles files as files are known to the host operating system on the server running the ftp server. It's only about when it's smart to use some specific method due to it's common availability. Like I said that my integration systems do run over multiple protocols, sftp, ftps, ftp, scp, http(s), json, rest, xml, csv, smtp, webservice. Doesn't matter, it really doesn't matter, it's just bits technically. 
  • Donated money to GnuPG project, because it really is essential privacy / security tool.
  • DNSSEC allows DDoS via reflection and amplification of attacks. Is DNSSEC bad? What should be done to fix it?
  • In Finland DDoS attack against OP Bank caused also it's ATMs and Credit & Bank Cards to fail. But why? It's clear that system separation isn't done properly. If attack against web site brings whole bank down, there's something wrong how they have implemented their infrastructure. I guess military guys could tell them why Out of Band is a great idea. Relaying on public internet is vulnerability waiting to be exploited.
  • Someone just woke up to my earlier comments about "anything over anything". This one is just about yay, we could pass bits over SSH connection. "Why aren't we using SSH for everything".
  • The Hidden Costs That Engineers Ignore - Been there done that, nothing new in this article. But if you're engineer who's just doing the stuff, without big picture, this is well worth of considering. KW: Code Complexity, System, Hidden, Product, Organizational, Simplicity, Focus, Modular Structure, Interfaces and APIs, Standardization, Refactor when required, Purne un-used features & code, Themes.
    Complexity isn't always even so hidden. In some cases engineers decide to make things simpler by using this our very complex data model/strcuture as a standard integration format. Isn't that great? Why it isn't? Well, because the data format is so darn complex, it's really hard to decode to any reasonable simple format. But guess what? This only leads to situation where everyone else, doing the integration, has to deal with that awful and extremely complex format. Bugs and slow & expensive development is guaranteed, in every integration case. Real win, isn't it?
  • Dark Internet Mail Environment Architecture and Specifications (DIME) - Yet another private email implementation which does allow Mixed mode including Dark and Naked messages, also introduced Dark/Multipurpose Internet Mail Extension (D/MIME) and utilizes Onion (Tor) as one routing option, Dark Mail Transfer Protocol (DMTP).
  • ThunderStrike 31c3 - Hacking Apple EFI. Protecting software and hardware from unauthorized modifications.
  • Bad performance isn't a problem, until it is. - That's well said. In many cases, programmers don't mind performance at all. And develop programs which consume ridiculous amounts of resources, but doing things in a some silly way. I've had multiple interesting discussions why my friends about this topic. How low you can really go? I mean good versus bad performance, if you just bother to think about it how things should be done and why.
  • We love surveillance [31c3] - Yeah, that's about it. Well said. Why would like to have privacy or encryption, isn't it simply aiding terrorists and criminals?
  • Apple HSTS super cookies - HSTS can be used with some browsers with Super Cookies which can't be removed. Privacy flaws are just about everywhere.
  • Reminded my self about Remote Desktop / Terminal Server - RDP security settings, Encryption High, NLA, TLS security, etc.
  • Steve Gibson from GRC introduced SQRL (YouTube) - He also covers many of the authentication related topics pretty well on the video.
  • wifiphisher - Automated WiFi / WLAN phishing attack tool.
  • StackExchange performance - How they handle 560 Million page views every month. It's al about performance.
  • PostgREST - Automatic RESTful API generation from PostgreSQL database. Exactly what I said earlier. It's not so hard to just map data to alternate format. This tool fullu automatically generates RESTful API for whole PostgreSQL database. Yes, it's probably not the optimal way of doing things. But it's still a generic and quick way to get things done, quite simply, if that's required. Very cool stuff after all.
  • How does the SQLite3 work, part 1, part 2
  • I love simple and efficient solutions. Large standards which try to be everything for everyone are just horrible. Trying to do some simple things over those is usually ridiculously hard, because there's so much overhead on too complex implementations.
  • Dangers of public wifi use. Nothing new. Nobody reads the ToS, so it could say anything. It would be interesting to make ToS which allows me to abuse all of your accouns, when you use my wifi it's ok to MitM you and steal your data. Because you agreed to it when you started using my wifi.
  • How Hong Kong protesters are connecting without cell or wifi networks. - Firechat, decentralized, mesh networked messaging application.
  • PostgreSQL outperforms MongoDB. This just shows how great PostgreSQL simply is. It's just so refined and tuned application. Real work horse for handing data.
  • Not a bash bug - Posting about Shellshock
  • All of my friends are now running their own mail servers and all connections are now encrypted and authenticated using: ECDHE-RSA-AES256-GCM-SHA384
  • Should you use ORM or just plain SQL. Do you use ORM extensively, or only ORM? Do you use SQL at all? Because I've been having my problems with ORM and as far as I can see, often the only way to debug ORM problems is complete understanding of SQL statements it generates and running those through EXPLAIN. This post made me smile, because when debugging things, I've thought exactly the same.
  • Credit Card Debt, how they maximize it? - I just received e-invoice from my bank. Only problem is that it really sucks. Invoice contains tons of rows, and then the payment information is about the minimum palyment you can do, so they can charge all kind of fees from you. But guess what? What's the amount I should pay to avoid these surcharges? Well, it's nowhere to be found. You'll need to copy paste the invoice to spreadsheet ( Excel / Libre Calc ) and then calculate sum of the rows to find out the final sum you're going to pay if you're any smart. Absolutely horrible user experience and usability. So much fail! I really don't know who designed this, but I think they're clearly trying to maximize amount of loan people are having.
  • Making sure crypto stays insecure. - This is how we're all being seriously mislead into trusting cryptography given at us. Just use it, it's guaranteed to be safe. Sure.