HTTP/3, 80211.ax, Kyberykset, Certbot, Code Quality, Requirements

  • HTTP/3: From root to tip in Cloudflare's blog. Awesome HTTP/3 is the next coming HTTP version talk video in Daniel Stenberg's blog. Changes since HTTP/2 (H2): - QUIC makes it HTTP/3 Goocle QUIC (gQUIC) vs IETF QUIC, deprecated Google SPDY and so on. 0-RTT TLS.
  • Just as it happens, one of the integrations where parallel finite-state machines were used, got new use cases which required major refactoring, because the simplified performance enhancing design wasn't covering all the new requirements. Classic trap. Simplified and fast solution is of course limited solution. Well, it took extra two days of straight coding, changing the code processing ensuring that the ACID requirements were covered even after the changes with different failure scenarios.
  • 802.11ax brings many improvements: OFDMA with RU, MU-MIMO, Trigger-based Random Access, Target Wake Time (TWT 802.11ah), Dynamic fragmentation and shorter Guard Intervals (GI). So many improvements, hopefully practical results will be great too.
  • Listened finnish - Kyberykset security show from F-Secure. Goods stuff, yet nothing new, obviously. But anyway, it's good to remind yourself about different threat scenarios and problems out there. Which is actually hosted on F-Secure's site.
  • It's funny that people think that LetsEncrypt is fire and forget system. Duh, no. It's just like any other "handy" cloud service. You'll need to maintain and update systems all the time, or otherwise those will be just deprecated and shutdown. Constant maintenance is required, whatever the solution is. That seems to be the very norm. TLS-SNI-01 validation needs to be replaced with (HTTP-01, DNS-01 or TLS-ALPN-01) which requires the Certbot update. Also had to updated all systems using Win-ACME / Letsencrypt-win-simple.
  • Read comprehensive guide book "Secure Software Development". Topics: Facilities and personnel, operations security, requirements and thread risk modeling, security requirements, thread modeling, built-in vs add-on security, privacy, secure design principles, attack surface, secure defaults, data sanitization, separating duties, principle of minimum privilege, defense in depth (deep security), failing securely, trust no one, security by obscurity or secrecy, keeping it simple, fixing issues correctly, platform security, platform hardening, software component security, supply chain security, cryptography, dependencies, code reviews, secure programming, testing and verification, quality assurance, fuzzing, penetration testing, load stress and torture testing, reverse engineering, testing reports and summary, secure deployment, configuration management, maintenance and patching, handling security incidents. Know your tools and platforms. Information security audit and self-assessment tool frameworks. OWASP Top 10 Nothing new in this guide, but lots of very classic stuff which makes you sigh deeply.
  • Classic: "Inadequate or missing requirements lead to wasted time in design and implementation" - Guess how much I laughed, so true. It also leads to attitude where everything is just all the time made as "prototype quality", because we can fix it later. Why would anyone write production quality code, wasting time because this code will be probably thrown out before it ever sees any light. After that is done, guess how interested people are paying for improving "working" code (refactoring) after everything seems to be in order? Even if that code is then absolute nightmare ad hoc and prototype, pure scratchpad quality, but they don't seem to mind about it.
  • Legendary: Reverse-engineering and replacing browser components made me laugh. That's what I've done several times. With more or less funny / frustrating outcomes for the server end admins. But I guess I'm in the script-kiddes category, even though I did all the research and coding my-self, instead of using someone else's scripts. I just did it for lulz.
  • Created bunch of PowerShell scripts, not as fun as Fish Shell, but when you've gotta get it done, you'll gotta get it done. And that's what I did.

2020-04-19