posted Sep 2, 2012, 11:29 AM by Sami Lehtinen
updated Feb 17, 2013, 4:19 AM
- Studied Transactional Memory bit more, it's really interesting topic. Intel is adding TM to Haswell. IBM is using Transactional Memory with supercomputers. Project PyPy is going to implement Transactional Memory software implementation. Wikipedia software transactional memory article.
- Solidpass - Nice! Their authentication application also confirms that user actually knows what they "sign" or confirm with 2FA / TOTP authentication.
Options: Event-based One-Time Password (OTP), Time-based One-Time Password (TOTP), Transaction Authentication Number (TAN), Two-step verification, PIN control mandatory/optional, Security Question, Challenge-Response, Mutual Authentication. (Multi-factor, multifactor, twofactor, two-factor, authentication)
Prevents: Man-In-The-Middle, DNS Cache Poisoning, Trojans, Man-In-The-Phone, Browser Poisoning - Excellent! Finally solution which actually provides solution to these issues. Many 2FA alternatives claim to fix these issues, but it's not true. As long as user authenticates "something" without knowing what is being authenticated. Aka lack of transaction data signing. Then most of MitM attacks (how ever they are techniclly executed) do work. Their solution is also OATH Compliant.
- Reminded my self about TOTP 2FA (RFC-4226), OATH - Initiative for Open Authentication (OAuth, RFC-6238)
So if same table (or another table) which is just as easy to steal, contains TOTP seeds, what's the use in that case? Service got hacked, and user account password hashes and their TOTP 2-way authentication keys were stolen at the same time. Hmm, yeah. There's fail always. So 2-way authentication doesn't help with hacking really, but it still makes major difference because many people simply choose too bad passwords. So those can be guessed even without password hashes. I also installed Mobile-OTP for Android.
The Google Authenticator (GAuth) project also uses TOTP, although they deliver secred using different encoding compared to most of clients, which means that secret might need require conversion. Like it did with Mobile-OTP.
- Studied perfect paper passwords (PPP) by Steven Gibson Research Corporation:
- Studied MYPROBE bittorrent releaser research project: "Monitoring, identifYing & PROfiling BitTorrent publishErs".
- Closed my Facebook Confidentially project. It would have required overhaul to high replication database on Google App Engine, but because there were just a few active users, I decided to abandon the project. Yes, app was in "read only" mode until all messages were delivered or expired, so nobody lost anything.
- MongoDB 2.2 - Concurrency Internals in MongoDB v2.2 - Also refreshed my memory about CAP Theorem. I just wonder why there aren't yet Gross Group (XG) transactions for MongoDB, it would be reasonably simple solution to work around complex two phase commit or distributed transactions. Current write locking is also quite crude, but I assume it will be finetuned later.
- Spent one day studying latest military tech, UAVs, stelth technology,
inertial navigation, ring laser gyros, military ship weapon systems,
secure satellite communication, electronic warfare (EW) and submarine
sonars, silent propulsion systems, air-independent propulsion (AIP),
baffles, multi-beam, beamforming & side-scan, towed-array
sonar.Sonic boom and reducing it, project SBiDir-FW. Using Phased array
antennas on WLAN devices would improve performance a lot!