Copy paste coding, NCSC, Deny/Allow, Libra, NTP, NFC, Twitter, RPKI

  • Sounds like others are doing what I've mentioned in my blog several times. Microsoft released Bluetooth Plug'n'Play sample code, and many companies just copy pasted that sample in their code base. Ahem, there's usually some differences between naive and simpilified example and something that's full production quality and attack resistant & secure. Classic, something which isn't never intended for production, is being used in production widely. Lol, Bluetooth BLE is using fixed same key in Android 7 to 9, just because someone copy pasted hard coded static encryption key in the code base.
  • National Cyber Security Center of Finland (NCSC-FI) @ Official (Not Wikipedia this time!) recommended maintaining deny lists (blacklists) up to date. I personally prefer allow lists (whitelists) as much better option, if any security is required. Everything is blocked, except, very small subset of allowed IP addresses and ports / protocols. Of course that's not possible usually for front end servers, but in general that's the safe and better option.
  • Libra Global Currency - interesting news, but let's do the fact check: Unsurprisingly there are pretty much skepticism around this topic. Also some initial values do not sound too great, only 1000 transactions / second and 10 second latency, sounds horrible. But I guess those are hopefully initial values and can be later improved (?), yet off-channel payments should be able to avoid this latency. Read the full Libra White Paper. kw: Cryptocurrency, Decentralized, Facebook
  • time.cloudflare.com - A new secure time service, which also supports classic Network Time Protocol (NTP). In Finland we've already got perfectly good NTP from MIKES which also runs the official national time of Finland, but in some situations Cloudflare can be a great global option. Of course good NTP clients also supports using multiple servers in parallel. See: Net Time Security (NTS).
  • .NORM normal file format @ XKCD. So true, I laughed when I took screenshots from SQL Studio and copy pasted those into open document format document and then mailed it. I've done it. Haha, normal file format.
  • Wonderful usability and value. At one local mall, there is a luggage storage which is operated using NFC card. That's perfect, I absolutely loved it. Often there are storage boxes are around, but I'm not usually ever using those. In this case it was trivial to use NFC card to lock the box and to open it. Benefits? No need to remember PIN. Card itself is identifiable. It doesn't matter if someone sees you operating the box, no PIN to protect. And from administration point it also makes it much easier resolving whom the locker content belongs, in case there's a problem. As well as it's more secure, in a way that it can't be used as a dead drop as easily, as you'll have to use the same card to open the box, you used to lock it. (Of course this isn't a problem for pros) Didn't sound too impressive yet? Well, I saved the last part to the very end, they're not charging the card, it's free service to use, with ANY NFC card. Not just credit or debit cards.
  • Twitter usability is so extremely bad. They're prompting for login all the time. If you've got a web-site with Twitter references, there's no sane way to process those references using their app, clipboard is broken, search doesn't work, all doesn't detect data in clipboard etc. I truly wonder why people think Twitter is so great, I'm all the time encountering situations where their usability and user experience (UX) totally and absolutely sucks and they seem technically utterly incompetent. Also the warning messages where you have to click Yes, if JavaScript is disabled and so on. Phew. After hitting once login prompt in browser session, there's no easy way around that limitation, and so on. List goes on. Fail, fail and ugly fail.
  • Cloudflare suffers from BGP route leak issues. Yeah, nothing new, lack of filtering and leaking routes. Sounds like a "classic". As mentioned, I wasn't completely aware years ago how common bad routing is. It isn't necessarily so bad, you would immediately notice it, but if you're running constant efficient monitoring, and receiving alerts. You'll end up seeing much more routing issues than you would as "standard browser user". Anyway, their blog post explains this issue quite nicely. kw: RPKI, IRR, BGP, Origin Validation

2020-08-02