InfoSec, Firefox, CSV, Versioning, Telegram, Customer Service, MITM

  • There's lot of writing in news, how Finland is suffering form lack of Information Security Professionals. And how there should be additional education. I personally think that InfoSec is something which is extremely deep, and you can't just learn it in school. It requires decades of long nights and weekends to learn it properly and being in right circuits. If you're just "working there", you'll never be good one. That's the problem with many people as well as many fields, which change and require deep understanding of stuff. It also requires lifestyle and right attitude. It's like sports or anything else, which requires high skill and lots of learning. - Problem is also that when you're working on something, you're in performance mode. When do you have time to be in learning mode, well, that's the evenings, nights and weekends.
  • Finally updated all Windows Firefox to 64 bit version. Phew, it took a long time. I've been using 64 bit Firefox on Linux for a decade already (!).
  • The Absurdly Underestimated Dangers of CSV Injection Pretty awesome post. But this is nothing new, it's exactly what I've been saying earlier. When you make things too powerful and complex, this is exactly what you get. Nothing new, nothing unexpected. Keep it simple and there won't be problems like this.
  • Some guys claimed versioning is hard. I helped them, now they got post-commit hook configured so, that the version information is always up to date. This information is included in the project, when the code is compiled and packaged for delivery. Earlier they used to have multiple versions with exactly same version information often, because they forgot to update this info.
  • Telegram 4.4 brought live location. It's quite nice features. No more more or less useless messages like where are you all the time.
  • I so much appreciate lying customer services. Server at OVH has been working for years. Then it loses IPv4 connectivity. I made a ticket about it. They wanted to charge extra because there's no IPv4 gateway defined. Well, all of the servers are running with DHCP and none of those got gateway defined, of course. Because information is obtained using DHCP. Then they said, it's my fault that the connectivity is lost because there's no gateway. Well, yeah. True. There's also no IPv4 address, etc.
  • Can't stop loving the "best practices" in industry. In this case it's advised that every user of database should have ServerAdmin role, which reduces problems with user rights. Can't stop laughing. But actually this is quite horrible. Anyone how obtains any credentials for the server, always gets account with ServerAdmin access. This pretty much reflects the reality, in the discussion "perfect security fantasy illusion" versus "daily reality security parody". Principle of maximum privilege. kw: security, industry, best practice, infosec, data security, administration, administrators, configuration, secure.
  • Bruce Schneier posted that he find hard to find things to blog about. Why? Well, just as in my blog. So much same stuff repeats, and because DRY (Do not repeat yourself). It doesn't make sense to repeat the same and classic security fails, project fails, management fails, etc, which happen over and over again. It's more or less the same, just with very small differences and twists. Bad code, bad security, bad configuration, bad planning, badly managed projects, and so on.
  • Tor MITM. Some people claim that using SSL / TLS / certificates would solve the problem. No, it wouldn't. Because the user is on wrong site to begin with. SSL wouldn't help at all. So that's a lie. Otherwise there's nothing special about this, and this should be obvious to everyone. This also shows that the MITM attacker is active, lazy and tries to reduce site latency. Which are all very normal engineering aspects when writing something like that. I might have had pre-generated address pool, to draw the addresses from, to reduce load time. Or maybe just generating new address every minute or so. Because if the addresses are generated on the fly, and it's slow. It allows one simple path triggering DDoS the MITM server, just requesting new addresses from it. It's also obvious to rate limit every function which is even slightly resource intensive.