WebSockets, Infosec, VPN, Windows, Identity and Trust

  • Lot of work with WebSockets & EventHandling, etc. WebSockets are quite handy for many kind of messaging, especially for sending trigger information. Just as Google App Engine old Channels worked.
  • About AlphaBay and Hansa. So many infosec and opsec security fails, ouch! Leaving laptop unlocked, not using completely separated compartmentalized identities. Allowing others to takeover and run your site. "Forcing" users to use compromised system. Not circulating identities (discarding and creating new ones). Not using unique random passwords / Using shared password (!).
  • Yet more amazing Windows problems. Does anyone know why, oh why. Task scheduler launches process (running) and visible in process list. But then process immediately freezes and stays hanged. Why? I've tried this with Python programs, with exes, and even with cmd and ps1 scripts with only put timestamp in file. All of these start, but hang. Nobody seems to know why. What is the key resource which causes Windows to suck like this? Btw. All of the scripts and programs work perfectly when run from logged in user session. So maddeningly enraging. Next step, Sysinternals process monitor tools. Sigh. It's not going to be quick or easy. But we will find the reason because we have to. Also the hanged tasks consume only one quarter of the memory of the working tasks. So that also indicates what I assumed from the earlier tests, that the hang happens in really early phase.

Bunch of random thoughts about identity and Trust

MitM proxy, active network traffic redirection and modification. - In the cases you've presented the sites fingerprint will get changed and it's not valid anymore.

If I know you, I want to meet "you", exactly you. Whom I know. Not someone who got a 'valid' identity document from any of the identity issuers globally. - Which is the current https certificate problem.

Ok, in last decades the ID papers have gotten much better. But you should have seen what kid of identity documents some countries used to issue.

Outsourced identity is that I've go a paper with photo, stamp and it says you're Peter Quill. Issued by Zambian Police department.

That's one of the reasons why many organizations do not actually use the official identity documents and or channels. They do use their own solutions, because those are potentially more secure. - Official channels are kind of secure, but there are also well known ways how to work around those, if required.

It's just like the VPN company X will provide you anonymity discussion. They'll do it to certain degree, but when you go over certain threshold, it suddenly goes way. And the VPN becomes totally transparent to the surveillance, even if might not have been that earlier at least in bulk data collection sense.

Trust is complex is very complex issue. And even if technical trust would be absolutely perfect, you still can't trust the people being trusted. - At least ways.

I just hope banking systems won't completely trust that checking the banks domain certificate being valid is enough. Especially when walking about intra bank networking. But who knows, maybe all the RESTful times have already changed that, as well as the PSD2. And that's what they're actually doing.

History has proven that it's a bad idea. But maybe it's just the future.

It would be awesome to read that someone got the valid bank.of.america certificate and was able to make a few API calls and get a billion.

"Any authority that has been installed on your browser should be safe." - Safe, safe to what degree is always the question.

Also the official online identity systems are safe to certain degree. And should be safe and enough. I just wonder why it's actually not being used more.

At least it's more safe than something utterly stupid, like password recovery using email alone.

Maybe and hopefully PSD2 will bring pretty safe online authentication to wider use.

"With a VPN you have a much more secure connection, with the VPN server verifying who you are, as well as you verifying who they are. Much more secure." - Yes, this in case of private direct VPN. But most of VPN providers are lobbying for generic VPN, which is terminated well before reaching the final destination. Which is a pretty big fail.

Yet, SSH / HTTPS (especially with client certificates) should be just as good as VPN. - Especially if specific key is required, not trusting the certificate authorities.

2018-10-07