Authentication, Documentation, TCP, UX, Outlook

  • Smart Card vs Mobile Authentication vs Bank Authentication - Thank you open data. I were saying that "nobody uses smart cards" but because there's Open Data policy in Finland, I found out the exact numbers. 92% of authentications were made using Bank Authentication (TUPAS), 7% of authentications were made using Mobile Phone Authentication and around 1% using national Identity Smart Card. Here you have guys. Statistics are dated Fall 2019.
  • CVE-2019-6145 - A great example of risks of user access, paths and privilege escalation, bugs and or misconfiguration.
  • Non-programmer documentation. Found one technical description say that strings should be stored in format ''string"... Oh yeah, it's obvious that they aren't programmers. Because that doesn't make sense whatsoever. Classic example why I usually say that I don't want documentation, I want production quality samples. Because documentation or normal samples, won't be any good when starting to deal with production later. Also using different quote types is another failure in same document, clearly Mac users, because nobody else does that. “quoted” <- I've seen even some bug reports where people complain that double quotes aren't working. No, of course not, you're doing it wrong. " to you! '' is not " nor " is “ or ”. Phew. Also `´' of course aren't equals. Also in Python type hints -> has become → which is obviously wrong. Another funny thing, values are integers like "123" or decimals as "123.321". Ahem, but that's a string, not a number. Let's see if they can decide if they want a number or strings which contain something which can be interpreted as integer or decimal. I just love sketchy documentation. In this case I didn't expect it to be that bad but, yeah, as usual. But as I've said earlier, documentation is always bad, please send me correct data. Especially companies with "documentation department" often make something which makes me laugh and cry. If the same person who wrote the code, writes the documentation, then there's even a slight change it being correct. Interestingly this applies to the next bullet point as well. Interestingly they say that Boolean values are typed as strings "true" and "false" and that seems to be true. Those are actually stings saying true or false and not JSON Boolean values True or False.
  • TCP sockets refuse to die - Also the TCP_USER_TIMEOUT stuff sure, is confusing. And that's the reason why source code is the only real documentation. Nice details, and the usual observation, that source code, reverse engineering and testing is the only way to find out how things actually do work. Cloudflare's settings are extremely aggressive. Personally I prefer keep-alive interval bit below 3 minutes, so it avoids problems of NAT firewalls from forgetting the session. At least Ubuntu uses default keeplive_time of 7200 seconds, which is two hours. After that probes start going out every 75 seconds and repeat 9 times, before connection is closed. I haven't ever heard of TCP_USER_TIMEOUT but it's good to know about it as well. Personally I do prefer application level pings, which also confirm that the process is actually working and responding, instead of the TCP stack only being available. In the article they've referenced, it says tcp_keepalive_time defaults to two hours, agreed. Yet this linked story was also really interesting one. Really a good read. Stuff happens when you dig in.
  • Bad user experience? It seems that OVH is making everything they can so you really couldn't use your loyalty points. If you use automatic service renewal there's no way you can use loyalty points. You'll need to disable renewal for some of the services, and then manually renew those to utilize loyalty points. Sounds like a strategic plan to make most of customers to completely forget about their loyalty points, even if those would be worth of several thousands of euros. Duh! Dark patterns, a-hole business strategy.
  • Mobile - Why Spam / Junk email folder got "Archive" and "Delete" buttons. Why not "Move to Inbox" and "Delete" buttons? Just wondering. Also does moving messages to Archive / Inbox mark mail as non-spam? Does deleting keep the spam status? Nobody knows, documentation doesn't say and it's closed source. - Same problems as with many other entries in this post. Nobody knows and it's hard to find out. Why mobile apps says "Spam / Trash" when web ui says "Junk email / Deleted items", everything's so inconsistent. Also the email filters do not applied mail classified as spam. So you can't use filters to tell system which mail isn't spam. There are separate controls for that, but those lack so many features that are utterly useless.