Integration, SQL, OWASP, Guacamole, OpenSSH, Data Storage, CAA

  • Integration fun. Your system must store and have data X. Ok? What the X is being used for? Nobody knows. Ok, what's the point of having, integration or storing data X if it isn't being used for anything at all. I just love logical people. Once again, it's hard to tell, if they're just trolling on purpose.
  • Sometimes SQL just strongly encourages very bad habits, like building SQL queries like strings. Great example is the simply IN query. Most of people just recommend building that as a string, by placing values directly, because handling of lists, sets and similar data structures isn't properly supported. - Sigh. Ok, it works well, but it's ugly and unsafe.
  • Continued ... Then somebody can come and wonder why totally insecure ways of coding is preferred. Well, because it's easy and it works.
  • Continued ... But better option is to build the query string with dynamic number of parameter place holders and then pass the values to the query. This allows safe implementation with dynamic number of parameters.
  • OWASP Top 10 - 2017 - Really nice list. Actually one of the projects I used to work with long time ago, probably had all of these issues. It would be so funny top provide checklist where every item is checked. But just leave out the information does it mean that the issue isn't fixed already, if it ever was present. Hahah. Yep, we've got it all covered. Hmm, actually it's probably that the A4 XML External Entities (XXE) isn't present. Because XML isn't being used internally. But if you expand that to cover HTML then all the possible injection and external sources & references fails are present.
  • NoScript updates with new Firefox are just ridiculous, broken, and broken in just so many was when update comes, it's broken in more ways and even worse, etc. But this is the quite normal way of software development. It takes several iterations to get anything even nearly working. Release pressure is created by tight schedules. Even if bugs are known, there's no time to fix those. Etc. So end result is total disaster, as it often is.
  • When I tested Apache Guacamole it worked above my expectations. It's the clientless remote desktop server. (Sure, the client is written in JavaScript) but it doesn't require installation.
  • Designed integration against TeamViewer API , but I didn't have time to program it, so it was handed to other resources. Including User Management and Reporting features.
  • Did I mention that crappy software written by n00b engineers is totally abundant? Yes. This time it's the true classic crap'o'ware, Skype for Business. Version 16.0.8201.2200 is totally broken. When I open the discussions list, and click CTLR + A to select everything it works. But then I just scroll in the middle of the list, click one entry and press CTRL + A again. Skype goes haywire, for a while and then crashes. Great work guys! Tested over and over again, it works every time. So this is totally repeatable and reproducible. - Sigh. Yet I don't know if this was more fun than enraging.
  • Fine tuned OpenSSH sshd_config and ssh_config on new hardware server. I use cloud services a lot, but for some cases, it's better to have your own hardware. Especially for stuff which require relatively little bandwidth and lot of storage space, and doesn't need to be backed up. The only really cost effective way is large traditional disks. When you got a good fiber connection, it's viable to run the server locally. ed25519 keys are now being used for everything.
  • One server got initially broken disks. It seems that many people don't do proper disk test it before putting drives into production. Yeah, sure, it takes lot of time for larger drives, but so what. Without proper patterned write read burn-in testing, you'll never know if the drives are working, until it's too late.
  • OVH DNS doesn't yet support CAA records RFC6844. Duh.
  • Postmortem with Postgres from GoCardless. Nice story. It's very good to analyze what went wrong and confirm that this hopefully won't happen again. At least with the same failure path. - Yep, failure scenario testing is important. It's easy to guess a few failure models and test one. But getting exhaustive testing is important. It's just like exception handling, you can handle the top 90% successfully, and when something "unexpected" happens, then things really blow up. After all this case seems to be totally normal failure when things aren't properly tested and designed. - "Some bugs will only be surfaced through fault injection - So true. As well as "Automation erodes knowledge". - Yet, nothing new.

2019-03-30