Projects, InfoSec, Agile (SAF), Mojeek, BlackHat, MLS

1. Summer reading. About software project management and specifications: completeness, consistency, correctness and customer aspects, customer outcome, service channel, touchpoint and service context. Also in big picture customer life cycle map, customer journey map and service blueprint. Application Lifecycle Management. Old school stuff, but even if there are newer concepts, its also good to remember the older models and being able to compare and pick the best parts of each model. kw: service-oriented modeling and architecture (SOMA). Also read a few excellent long articles about waterfall versus agile, how it causes problems with many projects. Uh, been there done that, literally. 

2. Next topic, information security, system and software development and security architecture. Change management and related security aspects with solid audit trail. How are different security aspects covered and required security level assured? Confidentiality, Integrity, Availability (CIA), Security Audit, Security Controls, Processes, Policies, Documentation, Human Resources and software and hardware solutions. Software criticality, security level and information security classification, vulnerability coordination and management.

3. Some keywords: Big data, Leading with Data, Key Performance Indicators, Measuring Performance, Analytics, Predictions, Projections, Trends, Exploration, Cognitive Computing, TOGAF, Data Lake, Entity-Relation-ship Data Modeling (ERD), Data Vault 2.0, NoSQL, Info Mart, Master Data Management (MDM), "Golden record", Enterprise Data Warehouse (EDW), Extract Transform Load (ETL), RealTTime Streaming Analytics, HADOOP.

4. Even more reading: Scaled Agile Framework (SAF), Lean, "Fail Early, Fail Often", Internet of Things (IoT) aka Internet of Everything, SLA, QoS, IPv6.

5. Read Mikko Hyppönen's (@ Wikipedia) book "If It's Smart, It's Vulnerable". Yet some people thought that it was a bad thing to having a website "Get your smart $h17 off the Internet". I think it's pretty much the same story, just worded bit differently.

6. Made privacy enhancement suggestion to Mojeek (@ Wikipedia), so that query settings could be provided in the query URL instead of using separate settings cookies, which are quite useless when you don't use cookies.

7. Watched bunch of BlackHat USA videos from 2016 & 2019, encryption, side-channel stuff. And a other lectures about Message Layer Security, because it bugged me that after reading the IETF RFC several times, I'm still missing the exact point. What makes Messaging Layer Security (MLS) (@ Wikipedia) "so different, read much better" when comparing to other solutions. So I'm not clearly understanding the key tree structure in detail, I can't run "simulation in my mind" about it, and that means I don't understand it. Let's hope after the videos it's all clear. - After watching the videos, it's just basically efficiency of key derivation. But it seems still very problematic for highly distributed systems, which might have more or less permanent partial connectivity. I'm curious to see, how they're going to solve that partition and lack of accurate timing tolerance.

8. ... MLS Talks ... : Started with Off-the-Record Protocol, Double Ratchet Algorithm. When they got to the MLS, the started to talk about TreeKEM Protocol and MLS's CGKA protocol. This is exactly the stuff which I didn't fully understand when reading the paper, because it wasn't visualized in the document in any way if I remember correctly. Forward Secrecy (FS) & Post-Compromise Security (PCS), Deniability. Key Rotation and Distribution. Init Keys. And finally got to the Key management Tree, which is exactly the point, which (benefits and drawbacks) I didn't fully understand. Concepts and reasoning behind MegOLM wasn't hard to grasp. Well, I loved the efficiency part, where they made it clear what's the point of MLS. Which is the key management efficiency for larger groups. It's much more efficient than traditional pair wise encryption like OLM which is used to distribute MegOLM (m.megolm.v1.aes-sha2) keys with Matrix currently. But it's lovely that they have clearly thought about potential problems caused by the design before hand. And yes, now I can see why it would be beneficial & useful for something modern, like Matrix. I just ahh, can't think about all the bugs and issues this is going to create at the beginning. Just like the encrypted rooms and key delivery tends still to fail from time to time. Especially, if custom non standard key rotation interval is being used.

2023-09-17