UEFI, Tutanota, 2FA/MFA, TEA

  • It seems that UEFI is bit like 64 bit operating systems and IPv6, everyone just hates it. Why would you want to change anything, if it works?
  • Cloud Computing without Containers - Blaa blaa, doesn't use containers or virtual machines. Well, it also depends how do you define virtual machine or container. There are just so many different isolation levels and models. But I fully agree, I love efficiency and really dislike all kind of inefficiency and overhead. That's why I personally really dislike full VM model. V8 JavaScript Engine Isolates. Yet as they mention, usually these models greatly restrict how you can use the platform, it's the very same case here. Also what they say, is very true, if specific capacity is required for specific type of traffic, usually virtualization is just inefficient. Just run your platform on as close as possible to the hardware. That's exactly what they're doing. I think I've posted so many times about everything they say in this post earlier.
  • Tutanota Secure Password Reset - Snake oil. As I've written so many times, every system where single provider says they're providing security, is snake oil. Why? They control the encryption (and keys) and data storage, which means that they can get access if they so desire. All these blog posts about security, is snake oil. These things are hard, it's easy to make system, which sounds secure, but really isn't. Sure, if the administration can be trusted, the system can be secure, but you don't have any clue, when it becomes insecure and that's the problem.
  • Before You Turn On Two-Factor Authentication - Drawbacks and trade-offs of 2FA / MFA. let's see. Absolutely excellent post, nothing to object!
  • Just wondering while configuring UEFI SECURE NETWORK Network boot how many domains related to the discussion are funny. "Network Sorcery", "IT Therapist" and so on. It seems that someone else has been also having "deep trouble". AFAIK, this is all obvious, as soon as you'll just know how to do it correctly, ha ha. It was as joyful as usual, took around 2 hours, but now it's working. PXE Boot for 'legacy' systems and UEFI Boot for newer computers, UEFI Boot also works over IPv6. Awesomeness. Ubuntu, Clonezilla, Memtest, etc basic tools are now available directly from network boot. Makes installing and configuring systems much faster and nicer. As well as image backups in case, you're testing something which might be disasterous, and can easily return everything back to previous configuration. Testing too about 50 boots, before everything was perfect. Classic fail, some of the files from alternate sources were different versions than other files which cause instant crash without any error messages. Now syslinux.efi, ldlinux.e64, pxelinux.cfg/default, libcom32.c32, libutil.c32 are transferred over TFTP and after that everything is transferred using HTTP. But as far as I know, it could be possible to load those over HTTP too, let's see if that works out. Then we could completely retire TFTP (for UEFI systems). It seems that the proxyDHCP server I'm using doesn't support HTTP boot files. Didn't start tuning with iPXE because it isn't mandatory and TFTP is still required anyway for legacy systems.
  • Transient Execution Attacks (TEA), as expected, this stuff got really hairy after a while. Now it's really complex and it's own area of science itself. New attack vectors are popping up all the time. Many of the attacks were scoped incorrectly were originally misclassified. It's good that systematic analysis on this area is now being made. And how to design defences which actually remedy whole type of attack, not just one demonstrated attack vector. But fixing the root cause is nearly impossible with current CPU designs. Where there are deep pipelines and multiple threads running, as lots of transient instructions, branching prediction and so on.
  • One pro tip to security guys, don't think about security or your mind will totally blow when you encounter the reality. Can't go into anymore details, but credentials management, that's true nightmare.
  • Something different? Checked out China's new drones GJ-2 and CH-7 stealth, no links sorry.

2020-03-15