EV certs, U2F, Privacy Networks, .NET, TLS, WebAuthn, Drivers
EV certs, U2F, Privacy Networks, .NET, TLS, WebAuthn, Drivers
- Google Chrome is going to hide certificate EV information from address bar . This basically invalidates whole EV scheme. Anyway, as mentioned over and over, whole certificate business is so full of disinformation and unbased security claims.
- The deal with Solo U2F FIDO2 keys was so sweet, I had to order a few. Production use? Maybe not, but something to play with. *Yay* Of course without forgetting a few Hacker ones for testing all kind of stuff.
- Mysterim, Privatix, and Sentinel "privacy networks", which all seem to be more or less focused on crypto currencies and monetization. And all of the networks are still really small. Sentinel seems to be only one with some active traffic. But it still less than terabyte / day. And number of active nodes in each network is ridiculously small. I might return to this topic later, but in general there's not much to be seen here. Well, maybe those could be used as technical building blocks or a platform of something popular, but that remains to be seen.
- .NET 3.5. Some guys said it's installation is impossible. They say that Windows 2019 setup DVD media is required to install .NET 3.5. Of course that's classic MS lie. Some said that the media needs to be downloaded on the server. Why would I want to download 5 gigabyte media for installation. But after tchecking the facts, it's obvious that all you actually need is a single 71 megabyte .cab file. Oh well and oh joy. Fixed some really bad and bloated routines some system administrators were using. It was totally pointless for everyone, every time when installing .NET 3.5 to download the huge media file. Even if many instructions say that it's required, which is as expected total disinformation. Also the user interface doesn't make it very clear, which specific file is required for the installation. This is like the other good stuff from Microsoft with cleanmgr and "desktop experience required", so much bloat. Btw. Windows 2019 does have the cleanmgr installed by default. kw: microsoft-windows-netfx3-ondemand-package~31bf3856ad364e35~amd64~~.cab
- Compact TLS 1.3. I like this concept, because as mentioned, I generally dislike really complex and bloated standards. Especially when I'm personally implementing something, I'm often like, why there has to be so many ways of doing this thing. Isn't one enough? Which usually leads to partial implementation dropping legacy stuff.
- The Horror of Microsoft Teams - Good observations, worth of noting. Unfortunately nothing new. UX is what it is, and code is bad.
- Thinking about WebAuthn, it seems that the login is totally seamless experience when using Firefox on Linux. Just like cookies are. Is this a good or bad thing (?). I think it's bad thing, all the joy of lost accounts and needing to "recover login". Why not "recover password", well that's because password isn't needed. Of course tracking is first thing which comes into mind from this seamless process. Why not automatically create account for everyone visiting this site? Well, that's what most sites are already doing. Who said you would need to assign username or password.
- About powerful and generic code: Screwed drivers which execute code and commands from user space. Yes, this is exactly what I've talked earlier. Why wouldn't I love such a code. It allows you to get the stuff done easily, whatever it is. And of course, it's also totally and absolutely insecure. Tricks like this has been used for ages. Like crontab, which loads something using cURL and executes it in root shell, if the resource was found. Normally it doesn't do anything, but if required, it's very easy and handy way to launch reverse shell, change key settings or install new software, or of course, do basically anything on the system, if you just control the resource which cURL is checking. Who wouldn't love such versatile and elegant solution. Similar solution is to configure web server and CGI to run some code in root shell, if it's posted to specific URL, with varying level of authentication required.
- UpCloud Team is getting sloppy. It seems that their image deployment process is still giving disinformation. It always says deploying Windows 2012. Haha, it seems that fixing one string is too hard for their hacker team. Not a big deal, just wrong string, but it's still wrong.
- 2020-08-30