RDS TLS, ISP/ASN, Matrix, Element, Security, SatCom, 7z


  1. Configured bunch of Windows servers to use TLS certificates with remote desktop connection (RDC) making identifying the server(s) easier.

  2. Friend made a nice blog post (@ samip.fi) , when his ISP didn't provide IPv6 he launched his own ISP, that's the way to fix the problem.

  3. Had a chat with friends, Matrix should have option to delete messages in mass from servers. Like delete older than. And there should be option / feature(s) to remove encryption keys based on multiple criteria. Like per user, per room and or globally older than, etc... Just like you can manage browser history nowadays. I would probably set the client to delete messages and forget keys for older than a month in most of chats. Even if the messages would be still potentially on some server(s), the encryption keys for the messages would be lost for good.

  4. The Element client seems to mess up personal and private chats with group chats. That's most likely due to the fact, that "private / personal" chats are just chats with two users. So in technical terms, there is no difference. Yet desktop Element provides command to convert chats betweeen those two options. ref: [ converttodm | converttoroom ]

  5. Enjoyed importing unstructured data, oh joy, this is frustrating process. But I got it done. Lot's of rules, lots and lots. So many, that even if machine learning sometimes sounds ridiculous, maybe it should have been applied to this. Yet, it feels kind of overkill. After all, everything seemed to work pretty well after adding around 200 rules. this and this and not this and integer here... Ouch... If this field contains three strings separated by space, split it, and ...

  6. Security by obscurity, can be seen from many views. In case if it's layered approach, having obscuring layers in front of real layers, can still hide the target from attackers. It's just like using nondescript buildings or cars. Also strong cryptography can be additionally layered with obfuscation layer or steganography. Even some attacker could break the strong encryption, they might not recognize the encryption being used. As instead of using Password SHA1-CTR-AES128 you could use something else. Or preprosess the password and or even post or preprosess the data being encrypted. So they don't even recognize the fact that the data has been decrypted successfully, because it still doesn't look what they're expecting to get. Or using port knocking, changing default credentials / ports, limiting access by countries. Not perfect solution, but adds to the security layers, even if the measures wouldn't be considered as strong security at all.

  7. Horcrux Encrypted Messaging (@ notion.se) - There's nothing new about distributing communication on multiple paths to avoid complete message capture. Just like "out of band" encryption key delivery, so data and key(s) use completely independent transport channels.

  8. A good post about DNS privacy and QNAME minimization (@ blog.apnic.net) - A very nice article, including also statistics development of the situation and listing many different DNS resolvers and related configurations. Also the international country level distribution of servers using Qmin was quite interesting. kw: Query Name Minimization, Domain Name System, Qmin, NXDOMAIN

  9. Finally added working satellite phone to the communications security arsenal. There was a long discussion in privacy forum about satellite phones, and sure, in some situations those can and will give off your position, just like any radio emission. But in most of normal situations, it's still better to have some comms than no comms at all.

  10. How to synchronize 7-zip archive? I mean update 7-zip archive so that existing files won't get recompressed, new files will be added and files not present in source, will be removed. '7z u -uq0' does the trick. You can combine it with other compression parameters, like -ms=off to disable solid compression etc. Depending on file sizes and compressability, or with -mhe=on to allow header encryption preventing listing of the archive, etc. or -sni to store NT security information. Or -ssw to allow compressing shared files. -mqs is also nice option if you want to improve solid compression, it sorts files in all directories by extension before compressing. Note, yet file ordering is important when updating archive especially if solid block size is large. Removing one directory with many file extensions, even if small files, might require lots of data re-compression is mqs is on.

  11. Something different? Benford's law (@ Wikipedia). Checked also out most powerful EDF fans for cooling being used as thrusters.

2021-10-31