Dnskv, Bubblewrap, Deepfakes, Matrix, Tor, OIDC

1. It's wonderful how many firewall leaks I've found with dnskv.com (@ dnskv.com). In one case the environment was processes were really tightly jailed. "everything blocked". Except networking to localhost only. And boom, that's it. localhost did provide DNS service, which means that even if the system is completely firewalled and there's no way out or in, except via localhost, now we've got a nice way to send data in and out, completely making thir secure firewalling protocols useless.

2. Had a fun and bit hard time with bubblewrap. It seems that the root folder is constant and never ending pain. Only programs which are fully self-contained work properly. And can have single directory root mount. Otherwise badly written programs which utilize libraries will be broken. After long long testing, I found out it's best to compile programs so that there's everything in a single binary and if there's a need to write something, I'll just bind that single additional directory to to the system and mount the application directory as root. Well, this is not a new problem. Almost all chroot / jailing solutions have the exactly same serious problems. If you don't have access to root (read only of course), everything is broken, and if you do, everything is more or less insecure. Or at least you can collect quite much information from the source system. Yet I have to say, that the documentation from this standpoint is exceptionally bad. Also there's are good reasons why people don't want secure systems. If setting up very simple things, will take days, it's not usually often of it. For most uses working and insecure is better than non-working secure solution. Of course the system which doesn't work at all, is quite secure.

3. To uncover a deepfake video call, ask the caller to turn sideways (@ metaphysic.ai). Well, that's for now. I'm sure this limitation will be overcome in time. Also if it's anything important, always use proper authentication. Whatever the preferred protocol is that is, is up to you. It was a nice chat. I'll do what we agreed about during this negotiation, as soon as you'll send me a signed request with summary.

4. It was kind of surprising that Synapse / Dendrite (Matrix (@ Wikipdia) server implementations) doesn't support multi-tenancy / multi-domain support at all. I were kind of expecting that to be there out of the box. It's after all just different UID domain identifier.

5. Totally excellent article about: Submarine cable's in arctic and geopolitics (@ thearcticinstitute.org) - I've been following this topic for decades and wondering when will something happen. Now it's happening, but not in the way it was expected to happen.

6. Tor denial of service (DoS) attacks. It's quite funny, a system can run for days, without any problems and all the time less 50 circuits created per minute. And then you'll get log entries that server is too slow, 175463 Tor circuit creation requests failed in last 60 seconds. Oh well, that's an attack and that's extremely clear.

7. Studied OpenID Connect protocol (@openid.net) - Yep, it's build on the classic OAuth 2.0 protocol. Hmm, interesting, had to read the OpenID Connect basic guide (@ openid.net) and of course the classic alternate summary OpenID Connect (@ Wikipedia). Yep, nothing new. Still waiting for wider adoption. Also see: Are we OIDC yet? (@ areweoidcyet.com).

8. Something not so different? War in Europe still goes on and reminded my about some stuff, yet nothing new: Stuhna & Stugna-P &  Skif (@ Wikipedia), Archer Artillery System (@ Wikipedia). - Also visited a nice Air Defense Museum and lightly studied Buk-M1 & Mistral systems (@ Wikipedia) and classic Flakpanzer Gepard (@ Wikipedia), I've been at SPAAG (@ Wikipedia) live firing, it's a nice sound, sure sounds like autocannon (@ Wikipedia)!

2023-10-01