Security, Scams, IPv6, FIDO2, CAA validation, Quantum, Random

• Long long discussions about supply chain security in software and generic secure software development processes and requirements. Read this nice article: ICT Supply Chain Integrity - Long and quite high level document mostly about governance. kw: national security, policy, legal, corporate, cybersecurity, trust, vulnerabilities, intervention, risk assessment, mitigating threats, updates, support, procedures, transparency, ICT/OT, confidential, malicious, escalation

• Wired Untold Story 2018 Olympics Destroyer Cyberattack @ Wired - Good story, especially after reading the previous article. Nice synergy. kw: cybersecurity, cyberattacks, attribution, malware, false flag

• Excellent article about monetary scams @ Kalzumeus-. Complex money laundering schemes. No wonder world is so full of shady money. kw: assets, backed by, "reserves", Bitfinex, Tether, CCC, Bitcoin.

• This is the command which disables listening RA packets: "netsh interface ipv6 set interface "Ethernet 3" routerdiscovery=disabled". And in some cases these settings do not persist and are required to be run after every reboot in admin powershell: ["Set-NetIPv6Protocol -RandomizeIdentifiers Disabled", "Set-NetIPv6Protocol -UseTemporaryAddresses Disabled"].

• Getting started with security keys - Very nice article about security keys. I've posted about the topic in bit more technical sense here. Yet the claim about password reuse is funny, nobody who cares about security, isn't that stupid. I do agree that using phone number for account recovery is very insecure measure. Also email password reset is absolute insanity if you want something to be secure. It would be much better to agree about separate long random reset token / provider as I've done always when it's possible. Also see related article: Username (and password) free login with security keys kw: SIM, smishing, vishing, FIDO U2F, CTAP, CTAP2, FIDO2 and WebAuthn, NFC, BLE, USB, TPM, HSM. Yet there's nothing new in these articles.

• Security podcast actually mentioned exactly what I've been asking. Using actual MFA, using token + fingerprint + pin. This is exactly what I asked from FIDO2 Level 2 devices. Why that isn't possible? Afaik, it should be. I'm also wondering when web browsers start to use HTTPS as default, instead of HTTP.

• Found out that many online CAA validation tests are just so bad. First of all CAA records are checked from authoritative DNS server. Which means that using CNAME won't affect the CAA lookup. Secondly the subdomain should be checked first, if no info is found, then the parent domain, etc. Many of the checkers do not fetch data from the current certificates to compare. So they only fetch CAA records, but do not validate if those are actually good for next cert issuance from same provider, etc. Some of the validators do follow CNAMEs. Bad implementations, logic and code is just about everywhere.

• TLS Post Quantum Experiment @ Cloudflare Blog. Interesting. It's good to be prepared for the future. See results: Real-world measurements of structured-lattices and supersingular isogenies in TLS. Yes and tat's exactly what I also immediately thought about: "One possible explanation for this is packet fragmentation and packet loss.". It's good to remember that fast is relative term, it's always a trade-off between several factors. kw: TLS, cryptography, isogeny-based SIKE/p434, lattice-based NTRU-HRSS, CECPQ2 CECPQ2b, X25519

• Bad random numbers by AMD, a great story. Good random numbers are essential for good security and encryption.

• It's interesting to monitor network attack situation. Now it seems that the attacks are getting considerably worse. Bunch of system is practically getting denial of service level attacks, where service is available intermittent and performance is really poor when user manages to make successful connection. This is much worse than the famous "Internet background radiation".

• Something different: High-altitude platform station (HAPS), UAV.

2020-10-25