Starlink, DNS, PowerShell, TLS1.3

1. Also refreshed my mental status about Starlink and OneWeb, also learned that China is launching StarNet/GW satellite internet. Yet Project Quiper from Amazon is still waiting for launches later in 2022.

2. Yet another never ending discussion about passwords. I don't get this password fetish at all some people got. Authentication isn't that hard, there are absolutely great and secure solutions to it, but still people keep japping about it. Only way to win in these hopeless discussions, is to completely ignore all the sillyness going on. Also once again, if password / key reset is trivial, then the security is already completely ruined and there's no point to discuss it at all. Also it's a huge mistake to let users to select their own ridiculously 123neverguessme weak, often reused and passwords when we have TRNG we can use. Or we can simply use secure public key ECC authentication with key stored in HSM. But well, yeah. Blah! - Zero Knowledge Proof won't help, if the passwords are incredibly bad and or re-used, as long as the authentication is based on user selected ... blah blah blah....

3. Yes I wish there would be better generally implemented login method than basic authentication, but for some reason it seems incredibly hard for engineers to implement. Of course basic authentication itself can be used with automatically rotating keys and or the password can hashed with timestamp for example.

4. One customer requested using split horizon DNS (@ Wikipedia). It's not a problem to implement and works well, in limited setup.

5. Also had joy of implementing TLS/SSL certificate renewal and delivery system for closed environment(s). One server fetches all the certs and then those are securely fetched from it by the other subsystems which actually utilize those certs. Now it's possible to get TLS certs for all the IoT devices in the closed IoT network. The devices are disconnect from internet and only accessible via single access gateway, which doesn't provide any generic access, strictly limiting inbound and outbound traffic to only approved content and select sources / destinations. My personal opinion was that it's kind of pointless to do that, but they insisted, so it had to be done. And they paid for it. Yet, it's still brittle, what could go wrong.

6. Had long long discussion about SMR tech and storage in general, and ended up studying Zoned Namespaces (ZNS) (@ nvmexpress.org) and SCSI Zoned Block Commands (ZBC), Zoned Device ATA Command Set (ZAC), Shingled Magnetic Recording (SMR), NVMe Zoned Namespaces (ZNS) (@ zonedstorage.io).

7. Watched a great James Webb Space Telescope Documentary: "Beyond Hubble Launching The Telescope of Tomorrow". Let's just keep fingers crossed everything works out perfectly. I'll also get new wallpaper, because my old desktop wallpaper is actually taken by Hubble Space Telescope.

8. If something is absolutely broken and enraging, it's PowerShell, once again spent half a day doing trivial things, which are so utterly broken with PowerShell. Using Python, Cmd, Perl, Bash, Fish, same tasks would have taken a few minutes.

9. So much PowerShell tuning, learned how to deal with certificate repositories and how to send email using PowerShell and how to send reports to Matrix from PowerShell directly using Invoke-WebRequest and formatting message in script properly, etc.

10. I just wish TLS1.3 would be supported everywhere. Lots and lots of tuning with cipher suites trying to reach best security and still retain compatibility with other servers. It's so annoying that some versions of IIS got only ECDH / ECDSA with GCM and not ECDH / RSA with GCM ciphers. Because using CBC is currently labelled as weak cipher suite. Even if I highly doubt that it would be practical security problem, especially in our cases where it's assumed that attacker can't create session / control data in transport. But sure, if possible why not choose as secure as possible.

2023-03-19