HighwayHash, Tor, Mobile Auth, Agile, Facebook, WiFi

• HighwayHash - Really fast hashing algorithm, roughly 11x faster than Blake2b and roughly 28x faster than SHA256. Utilizing CPU's AVX2 instruction set. It also scales very well between multiple cores / threads.
• Tor Manual - Read whole manual and studied every parameter to know the Tor network and it's features better.
• Security, Organization, Procedures, Culture - Boeing 737 Max case, just reading latest long article about it. Personally my opinion is that it's totally normal and that happens. My experience is that everybody mostly hate people whom even mention security or testing. Customer wants this to be done quickly and cheaply, without wasting resources. Random changes are implemented here and there, and if we're lucky, some tests are run before production, but just as well it can be that no test at all are done. Afaik, that's normal and common. It's organization, human and priorities. Let's get this quickly done, if you don't understand what it's about, just accept it and it's ok, you'll get paid. Maybe someone more competent in the chain, will fix it, it's not your work to worry. And now we've distributed the responsibility so that the end result is collateral damage from the process and actually no-one is responsible for it. Sure, there's bunch of people who didn't care about anything, but they just wanted to get paid, and continue surfing kitty pictures. Nobody took any malicious action, so there's nobody to blame. - Somehow this reminds me from one Tweet I read a week or two ago. It doesn't matter, if the software is vulnerable or firewall is misconfigured, that's why we're paying for expensive end point protection system. Hmm, yep. So what, someone else will fix it. It's not my problem. In such organization, if someone tries to make things properly and complains about things being sloppy, the person is seen as a problem. Everyone's just happy about the way things are working, because they're getting it (seemingly) easy. Btw. This is nothing new, this is documented over and over again in different disaster investigations.
• Long discussions about mobile-authentication versus Yubikey versus FIDO2 U2F with a few colleagues. I personally think all of these protocols got similar kind of issues. Not actually signing the message and trusting on third party authentication. Very generic trust / misleading discussion. Which are the parties you trust, and why, and what kind of actions can be taken to deceive the user so that the end user authenticates something, without knowing what they exactly authenticate.
• Had long interesting discussion about Scrum and Agile process in general. The more you define and tie down the process, the less agile it becomes. It's kind of funny to hear that agile process is strictly defined protocol to follow. True agility is that you'll get done now what needs to be done, and forget slow and stiff protocols to follow. Sometimes when projects are hectic, things are done in a few hours or even minutes. It's not agile at all, if the thing that was needed yesterday will be pushed into next sprint. In best cases, the change is in production already before the customer requesting for the change hangs up. That's why CI is so awesome. Figure what's needed, do changes, run tests, and deploy. Done.
• Facebook broke the news, users of Facebook shouldn't expect any privacy, therefore Facebook can't breach privacy. That's nice way of saying it. Who still continues using Facebook? Or should we ask, who didn't clearly see this in the very beginning and why they still even started using Facebook?
• Studied mesh WiFi access point solutions. Personally I like having every access point wired. Meshes are well, bad solutions, in case there's any need to provide good performance and bandwidth for the network. Radio spectrum is limited, and links between mesh access points consume that spectrum. Not a great idea at all. - Reading on one forum there was a great comment: "Everything without wired backhaul is 100% SH*T." - Yup, agreed.
• One customer said they want seamless WiFi roaming, afaik that's not possible without using specialized hardware, ie combination of controller, base stations and WiFi-adapters. As mentioned seamless roaming, means zero hickup, which means that the WiFi adapter needs to be already connected to the new network before leaving old one. Basically just telling the controller to route the data via new access point instead the old one. Of course this kind of setup would also allow using more than one access point at one time, especially if the WiFi adapter is fitted with dual radios. Sure there's nothing preventing doing that. Yet this hardware is probably lot more expensive. Maybe some industrial provider does provide truly seamless WiFi roaming. Yet, if the communication is that critical, why they would use ISM band radios?

2020-07-26