Passwords, Interconnect, Data, IoT, Shell, VPN

  • Google mentions that people shouldn't use passwords because they use, common words, weak passwords, they reuse passwords, and give passwords to fraudulent sites. Ahem, sounds like horrible users to me. kw: 2SV, MFA. Sure FIDO keys are phishing resistant. But I'm kind of worried about the aspect that currently solutions do not support full MFA. Fingerprint + Key + PIN. As example if I leave key in place which is already full of my fingerprints that's not a challenge for competent attacker to abuse that key to gaining access to protected systems. All it needs is physical access once. If PIN is required, then physical access would be required twice or at least method to capture the PIN when it's entered. Another aspect from legal point of view, that they can use my fingerprint, but they can't make me to reveal the PIN legally. So from that point of view those keys also are bad as long as those do not support full MFA (when using passwordless logins). But sure FIDO / Titan Keys are for sure better 2SV than many other methods. AFAIK, Google doesn't provide passwordless logins anyway.

  • Google also started to offer 100 Gbit/s Interconnect, but still no peering in Finland to the Google's data center in Finland. Or maybe that's possible when using partner interconnect, direct peering, carrier peering or dedicated interconnect for a private connection. Yet I guess it's costs are probably astronomical.

  • Long discussions about data retention, privacy laws and different countries, companies and tools. During the discussion we went through dozens of in depth articles about legalization, court cases and decisions and privacy tools used by users and organizations. This is a matter which isn't going away and depending on privacy and secrecy levels required is hard or extremely hard issue. But for most of normal users there are some easy and quite trivial ways to maintain secrecy levels which protect you from most basic spying which is mostly done by the totally open internet giants. And of course in normal operation often the weakest point is the porous security of end devices. If plain text is available from those, well. It doesn't matter if the data was encrypted during the transport.

  • Read long article about IoT security, nothing new. kw: Hardware-based Root of Trust, Small Trusted Computing Base, Defense in Depth, Compartmentalization, Certificate-based AUthentication, Renewable Security, Failure Reporting, PKI, embedded subscriber identity module (SIM, eSIM, e-SIM), embedded universal integrated circuit card (eUICC), Sigfox, LoRa, NB-IoT, LTE-M, STM32 authentication, Mbed SPM, ESP32 eFUSE, ARM iSIM, GSMA, ETSI.

  • Read CLOCK-pro+ paper Improving CLOCK-pro cache replacement with utility-driven adaption. I'll check how it works, and if it looks good, I'll update the pyclockpro project to utilize the CLOCK-pro+ algorithm. That would be an interesting and public hobby project. I'm also considering if list + dict could be replaced with dict alone, because dictionaries have been ordered by default since Python 3.7. Maybe it isn't yet time for that, it would break the library with older versions. Yet it might be slow, just as deque was bad for repeated access using index. list(dict.items())[2000] ugh.

  • Daily shell fun, wrote a script to monitoring web-pages in Fish shell script. Ah joy, new and bit different syntax is always so joyful. But you'll get it done, eventually. This is why I mostly write logic in Python and just execute commands via shell, is it fish, bash, sh cmd or PowerShell. Python is at least universal. Why I did that? To watch Tails page for 4.0 release coming out.

  • NordVPN server in Finland pwned. Probably via out-of-band management @ Wikipedia, like IPMI, iDRAC, iLO, KVM, LOM etc. Doesn't sound too surprising. I've had a few dedicated servers with iDRAC and in those cases, the server was dedicated but not managed. Which also meant the client is responsible for stuff like updating iDRAC firmware. Just try to guess which is the percentage of customers whom bother to keep the iDRAC software updated? I'm pretty sure it's less than 1%. I'm also sure that at least 50% doesn't change the password nor protect the iDRAC interface(s) in anyway. By default those are completely open Internet wide.

  • Something different: Everyday Astronaut Aerosipikes. Very nice . I've read about this topic several times earlier. But excellent article, if you don't know these issues with rocket engine cooling, exhaust expansion, etc. Also expansion deflection nozzle @ Wikipedia was a new thing to me. Of course there's whole article about rocket engine nozzles @ Wikipedia.

2020-10-18