Aria, AI, PQ3, CSF, CA, mTLS, KeyRing, CRA

1. Aria Storage Engine, I haven't used MariaDB / MySQL a lot, it's MariaDB storage engine and for some strange reason one project is using it and Aria just stopped starting and I had to troubleshoot it without any previous recovery information. Of course they didn't have backups, so it wasn't an option to restore the database quickly to known good state. Had to delete the recovery logs: aria_log_control, aria_log.* and after that repair the corrupted tables losing some rows. But after that it did run. Phew. Again, I hate this stuff, when hit with this kind of errors at random and requiring instant reaction. - Main question is why aria gets broken like this? It should be crash proof, so why recovery won't work after some kind of (?!?) failure? - I'm usually very interested about data integrity, and this doesn't sound great at all.

2. Started watching lectures series called: GPT-4 Unleashed Master the Future of AI and finished those. Yet there are of course many other advanced models. I've been preferring Claude 3.5 Sonnet lately.

3. iMessage with PQ3 (@ security.apple.com)- Very nice development. It seems that PQC (Post-quantum_cryptography) (@ Wikipedia) is being adopted widely. Of course one of the major questions is, if that really matters, or if it's only small part of the puzzle and was the encryption really the weak point to begin with. But these are all very classic questions. kw: PQ3, PQC, ECC, ECDH, PQXDH, ML-KEM, SEAR

4. Cloud security issues, "FOSDEM 2024 2394 Linux on a confidential vm in a cloud where's the challenge", very nice talk indeed. It's hard to create secure systems, so this didn't surprise me. I'm quite sure, most of users do not even bother to try.

5. Carefully studied The NIST Cybersecurity Framework (CSF) 2.0 (@nist.gov) and National Cyber Security Centre's Cyber Essentials (@ ncsc.gov.uk). Good documentation of security basics. Also reviewed the administrative and technical requirements obviously.

6. Mounting a zip file. - I haven't even really thought about (wonder why?), mounting a zip file. Using fuse-zip or archivemount it was trivial and both options worked great. Had to test that, as well as creating a SquashFS file system, which was trivial and easy to store bunch of sparse stuff in compressed file on the host file-system.

7. CA certificates (again, and again) - I was actually very positively surprised when, a safety audit addressed just that. There have often been auditors who simply tell you that even for completely closed systems, you must definitely get the certs from outside. Which I have naturally never understood why. Now, in this audit, they said that relying on external certificates is a risk, and especially relying on user certificates is a big risk - there are so many different views on this issue. - This fight won't be solved quickly.

8. mTLS (mutual TLS) (@ Wikipedia) - Yeah. This is the solution which I've been preferring. As stated, I don't like idea of trusting any "trusted" CA cert(s), as we know, the default list lis very long. When every device(s) and server(s) are in my control, why I would need external parties to create "trust", when I can setup my own keys on number of [devices / trusted users / servers] is very limited. Usually it's 1:1 (one-to-one) and there are only two systems communicating directly with each other. mTLS is just great for situations like this example. Unfortunately it isn't very widely used.

9. Started to use keyring manager with Python programs. In some cases it's important to store key credentials correctly and in a safe location. Using keyring storage solves this, instead of using plaintext, obfuscated or encrypted credentials in some configuration file.

10. Cyber Resilience Act (CRA) (@ digital-strategy.ec.europa.eu) and Cyber Resilience Act (@ Wikipedia). Also see: Secure by default (@ Wikipedia) - Quite high level policy documents, but still gives clear impression of main objectives that should be fulfilled by software / hardware suppliers in the EU area.

2024-12-01