FIDO2, Hosting, Networking, LC4, MixCloud, Duplicati, SQL, GDPR, SPLA

  • One comment about FIDO2 & WebAuthn. My initial thought was just to buy the USB security "key / token / authenticator" as a backup device, which I could use in case there's a problem with TOTP. But the user experience (UX) is just way too good for that. I didn't took just a few days before the authenticator came as my most preferred authentication method for all services which support it. Compared to that the TOTP / SMS based code 2FA is horrible solution. Having service specific apps is even worse than that.
  • Got integration running on Amazon, Microsoft, Google and some other smaller cloud vendors like OVH. Most of installations are on Windows Servers, but there are a few cloud (serverless + cloud database, RESTful) & linux based setups too. It's not that big difference after all. Something in, something out, some mapping / transformation, state storage between requests and bit of business logic. That's what most programs are all about.
  • One team said that the protocol customer is using to ask is impossible. I said, what? - Impossible? - Let me see. Just two days later, I've got it all working perfectly using Python ThreadedTCPRequestHandler. Why would any protocol over TCP would be impossible? Or over UDP or any other networking protocol? It's just data in, out and some state. It's just all about, if you're up to the task or not. I guess there are many developers, whom aren't aware about the networking basics anymore, and say something basic stuff like this is impossible. If it's not RESTful, then it's impossible. Using Python protocol implementation was a breeze. Everything specified was easy to do implementation according the requirements. Just the details NOT being specified were bit more challenging, but that's not a real problem. - Now it's all done.
  • Checked out low-tech authenticated encryption cipher ElsieFour LC4. Which can be computed by hand and is still hard to break. Which naturally reminded me about Solitaire cipher. All paper & pen ciphers are so painful to use, that you'll really need to be hiding something important if you bother to go for it. The full LC4 PDF document was a good read.
  • All of the core concepts of LC4 have been implemented in a few toy projects, we've been doing with friends. - Key, Nonce, Random complex internal state producing mutable s-boxes and so on + a few other basic / obvious tricks, which just happen to compute intensive. I liked the full PDF statistical approach to different problems. Finally there's the improved Python implementation of LS47. Which implement first thing which I were immediately thinking missing from LC4. The key derivation algorithm, using already existing components, which is exactly what ls47 implements in derive_key using principles of LC4. The alternate marker modes: Kaminsky or Kratochvil, is the marker moved with tile rotation or does it remain in same coordinates on grid and tiles move under. But I really don't know what's the practical security effect.
  • About MixCloud usability, no, listen later list doesn't auto "extract" into play queue when it's empty. Duh! Also when manually moving stuff from listen later to current play queue, entries remain in listen later list. Hmm. So many clicks, so bad UX. Typical, just so typical. How about making options and settings page, which would allow selecting a few logic options?
  • Currently Duplicati 2 does huge compact runs, which can take dozens of hours. I would prefer operation where the compaction runs would be split in smaller tasks. More often, but less at once. As far as I can see, that's not an option with current implementation. The only option is to run full compact. I do know running compacts more often is technically bit less efficient, but it's still better option in some cases.
  • Microsoft SQL Server 2017 fails to start & install: "Error description: Wait on the Database Engine recovery handle failed. Check the SQL Server error log for potential causes." So much joy.
  • Duplicati backup integrity checks, and it seems that those are failing. This is pretty bad, efficient de-duplicated backup can be great, but it can be also absolute disaster if data integrity fails. Not good at all. Also it seems that the repair and purge-broken-files features are broken, as mentioned earlier and do not get the job done properly, unfortunately. Yeah, that's really fked. Restore completely fails, if there's any corruption in the data set. That's a really huge hazard.
  • Enjoyed working with even more GDPR related documentation and reviewing software for GDPR compliance. Sometimes it's easy, sometimes it isn't.
  • Also enjoyed dealing with Microsoft SPLA audits, oh joy. Yet another reason not to use Microsoft products. As usual there wasn't anything wrong or to be fixed, but the process is still tedious and annoying.

2019-09-29