Taxes, Revolut, Mixcloud, Saltpack, IPv6, Teams, Adobe, Feneas

  • Just found out that secure login process with Finnish Tax Authorities uses HTTP. I've disabled HTTP completely so login failed. Only when I enabled HTTP, the login process started to work. It's kind of silly that high security solutions require HTTP to work at all.
  • I've posted so much about Revolut scam company and their hostile user scamming dark patterns. But today their totally incompetent IT & software development department made me laugh hard. Since when "Pitäjänmäki" has been "Pit J Nm Ki". It's 2020 and you guys are totally clueless about UTF-8 / Unicode. Joy, thank you for making me smile for a while.
  • I've liked Mixcloud due to their nice HTML5 UI (with some small issues). But now they made some upgrades, and on mobile clients the HTML5 UI is disabled and they say, that you should install their app. - Just shove it app yours!
  • Saltpack - Modern OpenPGP replacements? Hopefully something which is also simpler, in technical implementation and to use. Saltpack is one interesting solution, which is pretty close to what I would personally prefer. Basic approach is almost perfect, I like it. Now digging into Spec (version 2). The usage of MessagePack slightly concerns me. Those are exactly the ways, which could allow crafting packets which exploit some vulnerability in the software. That's why as simple as possible method is preferred, with of course solid cryptography. Uuh, BaseX. Sure, it's nice to avoid special characters, because there are nowadays invalid apps which mangle our data, if the encounter specific character sequences. I like many of the considerations they've made.
  • On some Windows environments "Core Networking - Teredo" is enabled by default, and it allows global IPCMv6 ping. Not a big problem, but might still be undesired feature.
  • Today I found yet another application, which completely crashes with uncaught stack trace in case user got IPv6 enabled. Keep up "quality" and "up to date" software. Great job guys! Disabling IPv6 fixed this. (Yeah, I know, not the right way forward, but it worked immediately) Local ISP also assigns IPv6 ULA to all devices via DHCPv6, which is quite interesting approach.
  • Can't come up with words which describe the insecurity, bad design, user experience and time wasted with Microsoft Teams. - Mental energy, time, life and money literally wasted. - Bad APIs, bad UI, bad UX, UI lag, security issues, data retention, etc. - Anti-productivity tools or loss of productivity tools. - After this, I'll never start Teams again. That I guess they have spent a lot of time to optimize the user suffering. Because it's hard to come up something that bad by accident.
  • Adobe ban in Venezuela. Well, just one example. But this is exactly what I mean, that you should and you can't trust on cloud services. You can't control those. And if you use cloud systems or if you build your stuff on vendor locked in stuff. You're out of luck. So, don't make that mistake. Don't user proprietary formats and APIs etc. Those are just a trap to ruin you in several ways. This has happened before and will happen in future again. In that way, no news here. If you're surprised, then you didn't do you home work. This is also why you should backup all your cloud data. And obviously not in a way where the same provider claims they've got backups. I've seen some vendors trying to scam their customers with that stuff.
  • Checked out https://feneas.org, interesting Finnish services provided by small organizations, providing some basic secure comm tools.
  • Something different: Schneier says it well. Not an exact quote: "Security is hard, really hard, basically impossible". Read the blog post: Supply-Chain Security and Trust.
  • Honestly, the software is so bad. It's like the golden engineering rule. Let's make our users suffer. But how bad can we do it, before someone is going to blame us for intentional sabotage. And lots of evil laugh. Also intentionally leaving out many essential keyboard shortcuts for no reason seems like intentional action to annoy users.
  • Listened several security shows and Darknet Diaries. Also read about LIDAR based submarine detection from orbiting satellites. Phew.

2020-10-04