NTFS, Crypto, EMV, Open Data, SSL, OPM, SLAAC, exFAT prealloc
Post date: Oct 1, 2014 2:44:54 PM
Reminded my self about: USN Journal, NTFS Journaling and Cryptography: Preimage attacks, Pre-play attacks
Why I reminded my self about file system journaling? Because I've been investigating one case where database journaling has failed catastrophically causing extensive database corruption. AFAIK with properly working journaling this kind of events should be extremely rare, when there isn't hardware malfunction or broken drivers present.
Studied Cloud Master Data Management. I know about Cloud and I know about Master data, so combining those two is quite obvious.
My comments.
There are a few interesting things in this article. AFAIK, there's nothing new in it, but I would like to comment these things:
There flaws are just so bad it's silly:
No PIN - Bad protocol, chip should sign nonce or something similar, then it's impossible to fake the authentication.
Pre-play - Again same thing, communication patterns with chip and terminal are too predictable.
As well as bad random number generators is something legendary in security field, of course this completely spoils security.
In case of compromised POS terminal with custom modified attack hardware, it's of course possible to photograph or otherwise scan the CVV / Security Code printed on card.
I haven't researched latest development in the field, but is it 'sure' that you can't copy the chip? At least if I remember correctly, SIM cards did spill their innermost secrets in lab, allowing SIM cloning. I assume this could be possible for EMV cards too, it might be hard, but probably it isn't impossible. Similar problems have been present earlier with many other 'secure chips'.
Checked out:
Good post about SSL hashes. I have to upgrade my server certs so that SHA-2 / SHA-256 is being used. Just updated my server public keys and certificates to use SHA-256 as well as 4096 bit RSA.
Checked out Python PEP 476 - Enabling certificate verification by default for stdlib http clients.
Project Management Office (PMO) as Strategic Partner of Business Management.
Business versus IT or Business with IT. Lot of project management topics, project is failure, even if it's technically successful etc.
Checked out Open PostgreSQL Monitoring (OPM) project. It seems to be a very useful system for people running several database servers.
Studied RFC 7217 Stable and Opaque IIDs with SLAAC. Interesting document, full of trivial stuff and nothing special or new at all. Just basic address collision detection, address generation algorithm, etc.
Studied US8606830 Patent - exFAT pre-allocation. They implemented it in simple and efficient way. It's just interesting to see, how long it will take before applications utilize it. Because it's unfortunately very common that applications don't utilize pre-allocation and therefore cause unnecessary fragmentation.