UTF-8, TPM, Nginx, Keyboards, Matrix, Thunderbird, Cloudflare


  1. UTF-8 was the solution? I've screening lot of files with UTF-8-BOM which causes in some cases problems. With Python opening file as UTF-8 doesn't handle BOM (by default) and fails. Instead you'll need to read files using 'utf-8-sig' encoding and in that case if BOM is present, it'll be processed and if it's not present, it's still ok. Go UTF-8 BOM yourself (@ Wikipedia). EF, BB, BF - Note that using BOM isn't recommended. It's just annoyance.

  2. Microsoft finally fixed the absolutely stupid and enraging concept of continuously prompting for Outlook credentials. Awesome! It too almost an year. Hopefully they also fixed the very dangerous flaws in the Windows EFS (file encryption) and Bitlocker which could lead to data loss, at it seems to be so. This probably got something to do with the TPM issue and credentials storage.

  3. Configured a few servers with Nginx so that requests without acceptable SNI domain name information are immediate disconnected after receiving SNI information over TCP. This prevents scanning IP addresses and ports and looking domain names in responses. Often server serves the default domain, when request comes without domain, therefore revealing the servers domain name to the potential attacker / scanner, even if they don't know it or ask for any specific name. - Also the domains served via Cloudflare now require Cloudflare's valid client certificate, preventing circumventing Cloudflare easily + there's the CF IP block list, which prevents all traffic outside Cloudflare's list of CIDRs.

  4. Long discussion about bad keyboards. But Ducky One 2 can clearly handle six keys + shift / control modifiers fine. Some others can't even properly handle three keys pressed simultaneously.

  5. Some more tuning, now some systems are fully Matrix integrated, allowing bot functions as well as command channels to different systems. Perfection (!), e2ee with transport and cross-signing, etc. Utilizing the matrix-commander (@ GitHub). It was fun to get it done and working well. Actually now I can use that relay to post via my own server and secure network to matrix, without having multiple matrix secure API client setups. - All communication happens over encrypted links, as encrypted messages, using private keys which my clients only got control. Nobody else can MitM the traffic at any stage. Awesomeness. - This can be used for many things, but not going to open all of those here.

  6. Configured Thunderbird OpenPGP and replaced the old Enigmail with it. Kind of disliked how they have implemented their own implementation and key rings instead of the standard ones. - Sigh. Didn't want to import my 'real keys' into Thunderbird. I just created new "daily use" keys and cross-signed those with lower trust. Just like I've done with many other not so trusted devices and environments. Anyway, the pro of this solution is that it's so simple that now anyone can trivially setup encrypted email and use it. kw: email security, encryption, digital signatures, OpenPGP, PGP, GPG, Pretty Good Privacy, ECDH, ed25519

  7. Updated the random number generator to use 1024 bit internal pool for generating 512 bit randoms. Now it's possible to get PRNG numbers / passwords / random, utilizing pool which is refreshed 30 times / second from the webcam, urandom, and every minute from 16 other highly random sources including two remote TRNGs and Solokeys TRNG. If you need to add one more remote random source for your pool, you can get unique 512 bits at time from my random number service as hex. Just use this every now and then to stir your own pool and not to directly generate random mass / bytes from this, it's not designed for that.

  8. Cloudflare Pages, Workes, KV, Durable Objects, JAMStack (@ Wikipedia). Quite awesome. I haven't felt this excited since Google Cloud / AppEngine release. Afaik, only thing still missing from that Cloudflare's pack is distributed database. And no, KV / Objects even with transactions doesn't cut it. Sometimes you'll just need to make bit more complex queries than that. It was one of the falls of AppEngine's original database. And of course with strong consistency the transaction rate was pretty dismal, yet based on ACID if it's distributed database with distributed writes, then the transaction rate (has to) suffer on some level. Definitely going to look for more details. Also one thing which depending on use case was bit of disappointment was pricing. Depending from workload it was fine, or really expensive. Also with initial release there were no background workers, with higher memory / performance / longer running tasks. - Therefore some tasks required complex logging to work-a-round limitations, which of course means that the task wasn't even good fit for Google AppEngine. I'm sure there are similar limitations here, but for many cases, this is pretty awesome. Then just offload the really heavy back-end stuff and analytics, etc somewhere else. It's hard to beat UpCloud / Hetzner pricing in bang for buck raw computing ratios.

2022-05-08