HTTP/3, Phones, Screen Lock, Solo-Tools, Argon2, SimpleX

1. Finally upgraded some of my servers to use HTTP/3 (@ Wikipedia) with Nginx (@ Wikipedia). Lot of QUIC configuration stuff. Enabled early_data, GSO (extended Berkeley Packet Filter) and eBPF (extended Berkeley Packet Filter). Hmm, interesting. HTTP/3 PUSH is included. I thought it was dropped from specification, but it's left as Optional. It was debatable if it actually helps or just adds complexity to the protocol. Naturally also added Alt-Svc h3, etc. If push is being used, http3_push_preload  this is a nice feature of course. Speeds up the delivery of content. Yet again, it's questionable if it's necessary. Server side: '"GET /test HTTP/3"  200' - Nice. And on browsers side: '{"Status": "200OK", "Version": "HTTP/3", "Transferred": "163 B (0 B size)"}' or "HTTP/3 200 OK" as raw. - Nice. But why there isn't space between 200 and OK in the Firefox JSON version [sic]? WTF again. Well, doesn't matter, it works.

2. Samsung phone bricked after official firmware update, in less than second. Good work Samsung! Needed charging related hardware parts to be replaced, this is quite interesting. Maybe even little bit fishy if you're paranoid? How it could happen so fast? Did the package contain something strange?

3. Windows 11 screen lock security, keep just clicking esc, alt-ctrl-del and space, until screen unlocks. It's totally insecure! I'm wonder if similar standard of security has been applied to BitLocker as well.

4. Attended interesting video lessons about Vulnerability Management (VM), Security Information and Event Management (SIEM), Distributed Denial of Service (DDoS), Attack Surface Monitoring (ASM), Malware and technical attack forensics, Comrpmise Assessment and Incident Response (CAIR), Endpoint Detection and Response (EDR), Security Operations Center (SOC) and list of Cyber Defence Assistance (CDA) providers and updated contact information about National Cybersecurity Coordination Center. It's good to have pre-established contacts and contracts, so that if there's need for something, you can jump straight into action without management overhead. - Be prepared!

5. Solo-Tools (solo1) package is broken on pip for two and half years or something like that. Mistake is really simple. They've updated dependency to newer library version, but haven't updated the code with the new library interface. Two options to fix that, patch the code with new interface (there's ready patch / pull request for that) or downgrade the library. Both options work. So, how fixing the issue is taking two and half years? Sounds like intentional sabotage just as I mentioned above. If there would be any will, it would be like: "Oops, sorry, fixed". Like most of developers do in this situation.

6. Nostr (@ Nostr.com). Yet another decentralized social network with slightly different design than others. It's always interesting to see what kind of design is chosen and what are pros, cons and limitations of the selected solution. This architecture seems to be working and quite simple. Yet as mentioned, these designs are quite heavy for mobile users, if they're following lots of users. Design is quite similar to SimpleX.chat and others.

7. Dropped dnskv.com (@ dnskv.com) time, date and datetime TTL to one second. This allows users to use the service to see if there are DNS servers which cache the content and serve stale responses without respecting the one second TTL value.

8. PBKDF2 vs Argon2 - Finally some hard numbers (@ reddit.com) - Very nice post indeed, most of us kind of knew it. But many wouldn't bother to actually test it. But here you've got the numbers, so you don't need to do the comparison by yourself again.

9. A friend made lots of tests to different email providers around the world from multiple different data centers. Most interesting result of the tests was that outlook.com MX servers didn't always offer / allow TLS at all. Some kind of regional unstated policy? Sounds strange, wondering if anyone knows more.

10. SimpleX chat  (@ Opt Out Podcast). Evgeny / SimpleX interview @ Opt Out podcast is great and it's really nice to have an podcast episode about this interesting project. - Very good interview, thank you Evgeny for both, software and this talk. I also loved the discussion and considerations about design upsides and downsides. Yet of course nothing new. To sum it up, excellent and amazing attitude!

11. Interesting, Google Sites, new page still works completely randomly. Sometimes it adds header automatically, and most often not. Probably JavaScript n00bs have written very broken code. That's unfortunately very common nowadays. As example Bing AI Copilot chat is also similarly stupidly broken. It's always important to open the page, wait for all of their bad JavaScript bloat crap to load, then reload the page, and start working. Otherwise it'll malfunction. Normal quality code by experts whom write their first program ever.

12. Google Sites - New page feature still works completely randomly. Sometimes it adds header automatically, and most often not. Probably JavaScript n00bs have written very broken code. That's unfortunately very common nowadays. As example Bing AI Copilot chat is also similarly stupidly broken. It's always important to open the page, wait for all of their bad JavaScript bloat crap to load, then reload the page, and start working. Otherwise it'll malfunction. Normal quality code by experts whom write their first program ever. - These features have been broken and present for years.

2024-02-18