Testing, Security Now, GDPR, DDoS

  • I'm reading one very good software testing blog. Today they wrote about testing and what's sane to test. Yes, for many environments, it's not sane to do complete testing, and fully automated recovery, etc. In many cases it's enough, that the software stops working in sane way, and requires someone to take a look at it. That's the model I'm quite often using. Just make sure, that if it's broken, it stops working, in predictable way. That's good enough.
  • Had a Security Now catch up marathon, while doing basic server maintenance. It allows me to pause the show, whenever there's something interesting and listening the interesting parts when I'm not doing anything too demanding / serious. Yet server maintenance usually requires full focus, especially if doing critical stuff. Then of course I'm not listening anything in background.
  • Read long article about Air-Breathing Electric Thruster from ESA - This is totally awesome technology, which would allow very low orbit satellites to fly for long times and compensating the air drag buy using the air itself for propulsion. Somehow I ended up reading about Bussard ramjet. Interesting.
  • GDPR – A Practical Guide For Developers - Let's see if there's anything to comment about this article. Forget me, is obvious, any site should have it anyway. GDPR or not. Notify 3rd parties, hah, that's also obvious. But I can't even say how often it's omitted. Let's say that cases where it has been covered are usually very rare. Nobody seems to care about this aspect at all. Restrict processing, nobody ever cares about that. Export data is very rarely covered. In most of cases it's generated as bunch of screenshots. Allow users to edit their profile, nope. This is also extremely rare. Of course the data can be changed via request to change it, but letting users directly to do it, isn't going to happen. Consent check boxes, usually there's only one, which is marketing or something like that. See all my data, nope. Just as mentioned, it's like the export. Data is available as screenshots, or in some extremely rare cases as export. Keeping data for no longer than necessary. I'm almost laughing, isn't it totally normal that everything you've ever gotten your hands on, is kept forever. Disk space is so cheap, there's no need to ever delete anything. Encrypt in transit, yep, good idea. Done sometimes, no, not nearly always. Encrypt the data at rest. Ahh, extremely rare. Backups, obvious yeah sure. But not for everyone. Most of people / organisations doesn't seem to care about backups too much. Protect data integrity and log access to personal data, well well. Data access logging, access control, ACLs, is highly varying.The only fact is that most of organisations don't care about that too much either. In many cases, there's some rather easy way to work around the access controls totally, if you just want to do it. Classic armed guards on front door and blah blah. But if you turn up as floor cleaner at backdoor someone lets you in the building anyway. Yet, I'm talking about similar technical approach, not as social engineering approach. Yet those combined, are slam dunk. About API consumers, well, that's at least obvious. - Summary, nothing new, with all the usual cracks.
  • More obvious GDPR stuff: Collect information only for specific purpose. Announce what the data is being used and who's handling it. Limit data life cycle and prune old data. Remember that some data is required by law to be maintained on some specific period, like bookkeeping and telecom information, etc. Manage Personally Identifying Information (PII) in secure manner. Only store relevant information. Remember that GDPR handling must also be considered when archiving and backing up information. Remember to inform authorities and subjects about data related incidents in 72 hours. And more obvious stuff, like be careful about phishing etc. - Privacy By Design aspect.
  • Now 1.7 Tbit/s DDoS attacks are here. I guess many sites get blow out with that kind of traffic. Especially if they haven't done any (serious) preparations to mitigate the traffic.

2019-07-07