H2, Ryzen, JottaCloud, KNOB, Kill Chain, RNG, Any over Any, Duplicati

• HTTP/2 (HTTP2, H2) Denial of Service (DoS) @ Cloudflare Blog. Well, just as expected. HTTP/2 @ Wikipedia leaves lot of room for optimization, but because it's really complex protocol, it's also totally expected that there are some vulnerabilities around. That's exactly what they've found. Netflix originally discovered these problems. Almost anything which computes or stores something can be utilized for resource consumption attacks, and if powerful enough become resource exhaustion attacks, unless properly rate limited. As well as all kind of timeouts can be utilized to tie up resources intentionally.
• Did run extensive benchmarks on new Ryzen 7 3800X setup. I personally don't care about gaming performance, but data processing performance is quite important. That's why I often use 7-zip for benchmarking, because it's a good and heavy load for CPU & RAM as well as using LZMA2 is can be efficiently parallelized to utilize full system performance. Full 7zip Ryzen7 3800X 8-Core Processor (16 threads) test results @ SourceForge.
• Fixed issues with integration using JottaCloud API, JottaCloud suddenly started to identify users using user_id instead of using email as user-identifier. I like that, because I've always hated as "email as id" anyway. The new user id is 96 bits long random value. There's also field called user_hash which is 256 bits long value, which probably means SHA256, but that's just a guess. I tried hashing my email address, but the result didn't match. Tried also sha3-256, but yeah. Guessing is totally pointless. Personally I would probably use some keyed hash.
• Wondering if the Bluetooth KNOB Attack is practical. Is it possible to receive the message partially and then corrupt rest of the message so it disappears and then resend modified message? I think it depends on protocol, and if the protocol allows that, then it's just about getting the timing exactly right. But that's doable, if the protocol allows that.
• Information Operations Kill Chain - Good timing, after reading this, it wasn't long until Twitter released this notice about Information Operations directed at Hong Kong. Just following out of curiosity. Information operations are hardly anything new.
• Read AMD Random Number Generator technical documentation, interesting stuff, yet my I'm not that kind of hardware / electronics guy. Having 16 ring oscillator chains must be fun anyway. kw: Entropy Conditioner, Noise Source, AES-256 CTR_DRBG, Zen, EPYC, Ryzen, IST SP 800-90, AMD Secure Processor, RNG, TRNG
• DNS over Tor, DNS over SMS, DNS over email, DNS over Telegram, DNS over Twitter and so on, made me smile. But anything over anything is really old concept. If you can relay information, it doesn't anymore matter what the information actually is, it can be relayed. kw: smoke signals!
• Made some history data restores with Duplicati which worked fine. But found another illogical annoyance. Backup sets for archival are created without encryption key, using --no-encryption parameter. But guess what, when you're restoring the data, Duplicati asks for encryption key. Well, I added --no-encryption to restore command, and it still asks for encryption key. Duh. I tried entering empty encryption key, and it says that empty encryption key isn't allowed. Ugh. What now? Answer is simple, you'll just need to provide any encryption key, and restore will work out. It's not being used, but it's still required. If you don't provide the no-encryption parameter. Program asks for encryption key says on RESTORE that you're trying to add encryption to unencrypted backup set. Well, no I don't. I'm restoring, not backing up. This is totally messed up logic. Multiple overlapping logical failures, true awesomeness. kw: Sigh, annoyance, usability, user experience, bad logic, blah, engineering?

2020-08-30