HTTP/3, CyberBunker, FIDO2, Data as a liability

  • I couldn't quickly find how HTTP/3 window size is defined, I guess it should read in QUIC specification, but it only says auto-tuning. Nice. I'll have to keep that in mind when writing project documentation. System works automatically, and if it doesn't you're screwed. No further details are necessary. That seems to be the policy with so many systems already. "No user serviceable parts inside". Anyway, I guess because of Google, that it would be pretty close to BBR. Of course I did find information about frames: WINDOW_UPDATE, CONGESTION_FEEDBACK and BLOCKED frames.
  • Re-read the HTTP/3 explained to completely refresh my memory and get updates about latest changes. Great reading if you haven't read it already. Good, easy and fast read. There was nothing new in it. It's nice that in the very intro they mention that QUIC can be used for other things than HTTP transport alone. - Yet this leads what I've said earlier. Protocols get so complex, that there will be a very few full up to date implementations out there. And there will be security, resource and other problems. Denial of Service attacks based on flaws on implementations & design etc. There's a lot of state to maintain on both side server & client. When it "just works" it's already complex and adding optimizations will add even more complexity. Yet I found two links at the end of document which I've been looking for. Congestion Control and QPACK. I'll have to read those bit later in detail.
  • Cyber Bunker bust. Not that unexpected. Great example why service which claim to provide anonymity or privacy, actually usually don't actually hold their promises. Because story often goes to that direction if they try to keep their promises.
  • How2factor - 2FA made easy - Simply a good basic guide, nothing new in it.
  • Just wondering about FIDO FIDO2 level2 (l2) authenticators utilizing biometrics from eWBM. Is there anything stopping it from also requiring a PIN code with a fingerprint? It would make it true MFA, something you are, something you have, something you know. Of course this would be an extra security option, which would trade bit of great user experience for a better security.
  • Data as a liability. Just thinking about Slack & Teams. Those store everything forever. Data can't be used by anyone legally, unless there's serious crime investigation. But it's inadvertent release could still create big problems. Is it still worth of retaining it forever? / Snowden Permanent Record. Just wondering sanity of these practices. Of course it should be highly unlikely. - Also again, Teams presents excellent example of really bad UX and incompetent developers. Each message requires first focus, then a little delay, then you can select extra options, and then delete. This will take around one second per message. Just wondering how expensive deleting messages practically is if you factor in salary costs. Even after this undo option is available, meaning that the procedure is utterly inefficient and technically incorrectly implemented. Depending on chat content, this also breaks several laws. - Pretty much in par with Facebook and it's illegal practices. Anyway, this eternal logging and snooping on most of platforms is something I can't understand at all. Yet another reason to run your own clients, servers and infrastructure. Proper client side encryption, limited history on clients, encrypted storage, no message logs on servers / no storage on servers / no metadata logs on servers. - Sometimes people consider chat being better option than email, but in some cases it's much worse. - Yet on the other hand, it's great to review all messages from a year, yearly. And think about the fact if the messages contain any data which shouldn't be there. - Teams sounds like real productivity product, when you can use days / month, just to maintain chat history. Haha, classic Microsoft. Not sure if stupid or trolling. - Accessing old messages is also so extremely badly implemented, that (slow infinite) scrolling alone can take an hour. Even putting something on page up button is really slow due the application latency. It's hard to find enough negative words about this Teams software. - My estimate is that it takes about 4 seconds / message to delete. That's a lot! Also it's fully interactive process and prevents user from doing anything else.
  • Darknet Diaries 47 - Project Raven - Dark Matter Project, Karma Project, iPhones, SMS hacks, etc. Yes, there are many kind of espionage and intelligence projects going on. No surprises there.