Another nail in the coffin

of PKI as we know it. Dell has introduced a huge security hole in its devices.

And more complete coverage, together with remedies, can be found here.

Invest in your own security first

Iboss Cybersecurity raised $35 million from Goldman Sachs' Private Capital Investing group, the article tells us.

At the same time Goldman Sachs has deployed an SSH/SFTP server for their corporate operations, and has built it on the outdated version of the open-source SSH server library. Moreover, they've implemented the server badly, in the way that is incompatible with the wast majority of SSH client implementations. They have probably saved a couple of thousands by choosing an in-house (or, maybe, even worse, outsourced to overseas junior developer assistants) implementation based on outdated open-source, instead of paying for the supported commercial solution without such nasty bugs. At the same time they have found 35 mln. to invest into third-party something. Good job, security boys. 

On hitting nails with a microscope

The newly presented RFC introduces probably the most contradictory extension, and by itself is the one of the most meaningless RFCs adopted in the last 20 years.

The address of the RFC is https://www.rfc-editor.org/rfc/rfc7685.txt and it defines the padding extension, whose only function is to insert some zero bytes into the ClientHello packet of the TLS protocol. What's the purpose, you might ask? The purpose is to work around the bugs in some implementation(s) that is/are confused by certain lengths of ClientHellow packet.

You've got it right. Instead of fixing bugs (or pushing the developers to fix bugs) they invent extensions to make other developers complicate their software with those extensions to work around the bugs.

Tolerance is acceptable to people of different race/origin/group. Tolerance to bugs in unacceptable. Tolerance to idiocy is not acceptable either.

On reinventing the wheel

Google did it again, and there's a kind of hype around this new wheel.

Protocol Buffers are a bit simplified form of ASN.1 notation, which has been in use for decades. They even mention BER (Basic Encoding Rules, a form of ASN.1) but hide the "ASN" name.

This is what happens when imported eastern developers are writers and not readers.

Sometimes I feel pity that standards and protocols are not patented. One should prosecute those "reinventors" for plagiarism (taking the industry-adopted standard, hiding its name and claiming it the new protocol or something).

On how not to do things right

Recently one of the users of our SecureBlackbox product has reported, that the SMTP client component can't login to GMail with a strange message: "Someone just tried to sign in to your Google Account [my email] from an app that doesn't meet modern security standards". 

The message itself doesn't sound like having lots of sense, as it neither explains the problem ("doesn't meet standards" is not an explanation) nor it suggests a solution. 

Forum search has taken me to an the answer in Google knowledgebase, which doesn't add much to the error message' explanation either. While it offers a partial solution for the owner of the mailbox, it does not explain what exactly happens.

Finally another forum post has driven me to the what could be an explanation, although it's only a hint. Turns out that Google has implemented OAuth2 in protocols like SMTP and IMAP. And here lies a huge problem.

OAuth2 is a web-based protocol which in many cases involves the web browser and user interaction. This makes fully automated operations nearly impossible and also significantly complicates the implementation of any client. 

There exist plenty of authentication schemes which prevent password transfer and/or allow third-party servers to be used for authentication. Google seems to have chosen the worst least appropriate variant instead.

Google is known for non-standard technical and business solutions. And they mostly work for users' and Google's own benefits. But some solutions seem not just to be not tested, but not to pass any sanity check.