Blog‎ > ‎

Web Service Security, TeamLab, Bitsquatting, Innovator's Dilemma, db X-trackers, email security, GCM, etc.

posted Nov 24, 2012, 11:17 PM by Sami Lehtinen   [ updated Nov 3, 2013, 10:08 AM ]
  • Studied one payment integration, which relies competely on SSL. I don't know if that's a good design. All shared keys are sent as plain text over HTTPS connection. As far as I know, it would be much better to use derived hashes. Those would A) make sure message payload hasn't been changed B) authenticate message sender, without revealing the shared key directly. Of course this solution works well, but it might be dangerous in case there is dns hijack or something similar where traffic isn't going where it is supposed to. We also know that SSL certificates aren't really trust worthy, so having additional signature isn't too bad idea. We also know, that thare are tons of SSL "clients" out there, which actually do not verify certificates and often if there are certificate issues, users are instructed to configure systems so that certificates are ignored. (Duh!) But this is just my AFAIK, IMHO, FUD comment.
  • About not checking certificates or even signatures, bitsquatting is way easy way to steal data when users are involved and there is no authentication method for server end. One team used that method to "steal" tons of confidential information from banks etc. Well, i don't know if it's really stealing, senders just sent information to wrong address.
  • Added to Kindle: Innovator's Dilemma by Clayton Christensen.
  • Hand a long discussion with a friend about service he's building using Twitter Bootstrap, Symfony and MongoDB. I'll add link to that site, when it's launched.
  • I often feel that I'm not reading and learning nearly enough, I know nothing! I also have this long endless reading backlog. But when I started cleaning up my Kindle library from books that I have read, I really got surprised, so much reading DONE! - Unbelievable. I can be very demanding about performance requirements, but it's nice to get positive feedback (for my self for a change).
  • I have played with TeamLab and used it to manage some of my own projects. Seems to be pretty nice tool.
  • Interesting news: Facebook is building it's own advertising network. In Germany you could be hold responsible for passing on encrypted data, even if you don't have any clue about it's content or encryption key.
  • Performance analyzed one application which uses SQL database as datasource for analysis. As result we got nice performance boost.
  • Studied db X-trackers synthetic swap-based index ETFs aka (ETF 2.0), substitute basket, swap counterparty, UCITS III, etc. 
  • I wrote earlier about using HSTS, now it's becoming a standard.
  • This is nothing new, but this should make us all think about it:
    New York Times -
    Trying to Keep Your E-Mails Secret When the C.I.A. Chief Couldn't
    Bruce Schneier - E-Mail Security in the Wake of Petraeus
  • Had a few long discussions with friend about economic situation in Europe. Does incease in money supply cause inflation or not, are interest rates lower than real inflation, etc. Then we had even longer discussion about different game money systems and how hard it's to properly control money supply even in these small closed environments. It's simple in theory, bunt reality it's hard.
  • Noticed that at least Windows Server 2008 R2 Datacenter edition got some kind of refresh failure with File Manager. I have log file that grows with constant rate when running my integration tasks. If I refresh it every 5 minutes, for some reason it doesn't always give me the latest file stats. Yes, it might be due I'm buffering writes to larger chunks, but no it's not that. Because if I hit refresh repeatedly two times, I get right information. I don't know why, but pressing F5 for refresh, doesn't actually bring up the latest file size on screen, only pressing F5 twice does. I did this so many times, that I'm absolutely certain it's not my apps buffered writes which cause this, I also used very infrequent intervals for testing this.
  • Quickly checked out: Google Cloud Messaging (GCM), no I don't have any use for it right now.
  • Read: Long article about future technologies: 3D printing, Internet of Things (IOT), Universal identification (uid), Ubiquitous computing, Pervasive computing, nano technology and bio technology. I can't yet decide which is going to bring larger change, nano or bio tech. Any ideas?
  • Refreshed my memory about fiber networking: (D)WDM, connectors, speeds, single mode, multimode, distances, etc...
  • Had long technical discussion with friends about benefits of multitenancy architecture vs multi-instance architecture.
  • Checked out European Union regulations and standards for encryption solutions / algoritmns and software, data erasure procedures. - During one project I was required to use ridiculously expensive certified SSH software. OpenSSH is not secure, they say.
  • Studied: WSClock, MIN and OPT cache (page) replacement algorithms.
  • Read this article about git-scm smart http.
  • I still got this home renovation process going, so unfortunately I don't have much time for my computers stuff, as you might have noticed. ;)
  • Tried Viaplay streaming movie / TV service. They required Silverlight plugin. Sorry, I can't accepted that. - Cancelled.