Encryption, Agile, WebEx, Python, OneDrive, Integration, Scands, Code

  • Awfully long discussion about Data Encryption, Web of Trust, PKI, Key Management, Tools, TLS, HTTPS, Email Encryption, API protection, Certificate Transparency, MITM, E2EE and problems with proprietary solutions and so on. And finally it turned into topic of how messy and extremely complex OpenPGP standard actually is, also on source level. So even if anyone can "verify the code base", it's really hard task and practically impossible. Not forgetting UX most encryption tools give. Also which solutions give clear indication whom you're communicating with and which solutions try to hide the metadata etc. And finally users whom break all the security rules and totally ruin security, even if standards would be solid.
  • This is also great post about OpenPGP and encryption related practical problems. Yeah, nothing new. Just one question, why hasn't someone written simplified public key tool like GnuPG, which would use only modern ciphers. That should be pretty easy to do over some great encryption libraries which are out there, like Tink, Sodium, NaCl or CIRCL, Ref: CIRCL introduction, Libsodium introduction.
  • More agile development. Sent email to one web site about their UX sucking and service not working, JavaScript called URI which simply timed out, user got no information whatsoever what's wrong and only JavaScript console showed the error. In one minute I got reply, Oops. And in 27 minutes, reply fixed. This is agile work at it's best.
  • Cisco WebEx - Absolutely horrible user experience (UX). I'm pro, and I find it bad. I wonder if normal users can ever survive from joining a meeting. Also installing plugin, temporary exe files and so on. As well as their standard WebEx Meetings client not allowing to join a meeting with any sane way without using browser extension was like phew. This is bad. - From security perspective, I couldn't imagine worse system. Receive random link, install extensions and run exes. Sounds like a security suicide. Everything they're asking you to do, is on absolute no no no list.
  • Python 3.8 also brings finally the typing.Final (PEP-0591), ha. Can be used as decorator or annotation As well as you can use @final as decorator too.
  • It seems that Microsoft has changed the OneDrive authorization process. All clients using the old process couldn't get a new client secret anymore and failed when the old one expired. Got that fixed by updating some clients and fixing some code using old interfaces.
  • Standard integration fun. Field length 1 byte (from formal specification), value always "true" from requirements as string. Ok ok, the old specification where the field length is set, says it's boolean and it used probably values 0 and 1. But now when the old format is upgraded to XML, the field length requirement is still one. Cheered up my Friday. How do you exactly fit four characters into one byte?
  • Daily mind blown. It's year 2019 and we're having issues with Scandinavian characters [ Ö, Ä, Å, Æ, Ø, ö, ä, å, æ, ø ] and of course the [ € ] euro character. - No words for this. - Just go UTF-8 your self! - The one character encoding to rule them all. Tragedy of UCS-2. kw: WTF-8
  • Mixing data and comments - Bad code is everywhere. Just found out that EdgeOS has vulnerability where they messed up things in the very classic way, allowing remote code execution and destroying system / files, and so on. If you use passwords with special characters you can inject commands. It's just like the good old SQL injection attacks. Anyway, it's recommended to use complex passwords, so you can find vulnerable systems every now and then. Great passwords `´'<>;\^~[]{}="#$% and just see when systems fail to handle the password and do something totally wrong or give strange error and then keep digging deeper. It won't take long before you'll find that something is broken. Especially platforms with are based on Linux, and run more or less random scripts behind the web-ui are often extremely broken.

2020-08-16