Telegram, e-Receipts, Outlook, 6in4, Registration, NetSpectre, Security

  • Telegram Passport - Nice idea. The only question is why so many services link your identity to phone number or email address. I really hate it. If they want link it to real identity, they should use strong identification -> identity is confirmed. If they don't want strong identity, then any specified username or "login credentials" whatever should be enough.
  • Lots of discussion about electronic receipts with colleagues. Well, it comes back to the same question as previous bullet. How to identify the customer to deliver the receipt. And if that information can be used to identify the customer. Does it break GDPR. These are things which are evolving all the time. Can the shop use credit card tokenization and or facial recognition to create "shadow customer profiles", even if the customers do not register as customer. Or if their Bluetooth / Wi-Fi signal presence can be recorded, etc. All this of course links to the location information, and so on, forming location, time, identity register. Which might not be enough alone, but if it's combined with other information can be extremely effective tool for ...
  • Haven't I've been ranting enough about Microsoft and Outlook? It seems that their SMTP Server TLS certificate fails validation. outlook-com.olc.protection.outlook.com doesn't match it's certificate. Duh! And sure, that's the MX being used with outlook.com. Meh. It seems like a fail, which could have been intentionally done to weaken security. Or maybe TLS and email are just way too hard and complex technologies even for corporations like Microsoft?
  • Kuusitunneli a Finnish IPv6 tunnel provider relocated their gateway from Helsinki to Turku. Unfortunately this lead to extra latency of around 8 ms (which is twice of the round-trip of 4 ms between Helsinki and Turku) to services located in the capital area Finland.
  • Sites which push users contstantly to login, and prevent seeing content in any sane way are absolutely enraging. Like Twitter, Pintrest and so many others, which I don't just now remember. - Quora used to be one of those sites. But lately it hasn't been as bad as it was earlier.
  • Schrödinger’s Security - Isn't it just easy to conclude that we've got a perfect security, because there aren't any known breaches. (Which is a very good reason not trying to even looking for problems)
  • NetSpectre vulnerability description and implications. Utilizing Bounds Check Bypass (CVE-2017-5753) remotely and utilizing Power Management features. Also the AVX2 operation based side channel attack snooping for 256 bit operations is quite neat.
  • Access control & Physical security - As expected in regional testing the red team achieved 10 / 11 = ~91% success. They were able to get into places using various extremely simple techniques and just being friendly, looking busy, or following people with low effort. Unexpected? Not at all. This is the normal state of security. And the only one failed test? Well, if the would have any preparation done, it would probably been as well successful. But in this case, they just tried to walk in and guard asked what they're up to. Because they didn't have anything prepared the test failed. But having few names and information about some ongoing project would have pretty much guaranteed success in that case too.
  • List of IP protocol numbers. Surprisingly many firewalls unfortunately only focuses on TCP / UDP port numbers. And almost completely ignore protocol level. Of course there's usually additional ICMP filtering, but it can be really poorly implemented. It's also good to remember that IPv6 requires a bunch of protocols to work, it's not a single protocol. There's a long list of all kinds of strange protocols, are they sure that those protocols wouldn't actually work best on top of TCP or UDP instead of being completely separate protocols?
  • Great timing some performance talks, because there's lots of performance discussion in the air right now. But I'm not going into the details. Except that required performance isn't being met. Which is of course the rational source for most of the performance related discussions.

2019-12-29