The tools that I’m using #4

Written on 8 September 2018, 01:10pm

Tagged with: , ,

It’s time for a new post about the tools that I’m using. See previous editions:
2013
2014
2016

As usual, most of the applications are still there, but there are some changes. More importantly, I merged Productivity and Work into a single section since I no longer see a good reason to separate them.

Productivity and work

  1. Chrome
  2. Dropbox
  3. f.lux
  4. Logitech SetPoint
  5. Sublime Text
  6. Total Commander
  7. + LastPass
  8. + Workflowy
  9. + Pocket
  10. + BitVise
  11. + WizzMouse
  12. + Ditto
  13. + Freedome VPN

Gone are the anti-virus/anti-malware apps (Avast, MalwareBytes), along with the KeyTweak (I got a new notebook and I no longer need to tweak the keys). Also gone Beyond Compare (even though I’m still using it from time to time), and OneNote, replaced by Workflowy (Google Keep currently under evaluation)
F-lux is at the borderline – still there, but I don’t know for how long.
New entries: Wizz Mouse, because it makes your mouse wheel work on the window currently under the mouse pointer, instead of the currently focused window. Workflowy because of its brilliant simplicity and LastPass + Pocket because I forgot to add them 3 years ago. BitVise – because it’s much better than Putty + WinSCP combined. And finally, Ditto, a clipboard manager. Clear privacy issues, since it stores your clipboard forever, but it saved me a few times.
Speaking of privacy – Freedome VPN is now in the list, since you can no longer not have a VPN nowadays…

Entertainment

  1. Neflix
  2. FastStone Editor
  3. WebShots
  4. + Photolemur

VLC and FastPictureViewer are gone, Photolemur is a new entry. And WebShots is still awesome!

TLS Training London – day 1

Written on 6 September 2018, 08:55pm

Tagged with: , , ,

Some notes after the first day of the TLS training session with Scott Helme

——

  • the core protocols powering the Internet were not designed with security in mind
  • you pwn the cookie, you pwn the user
  • the server should not encrypt the cookie contents because there is nothing to hide to the browser
  • the submarine cable map is amazing, but the landing sites are possible points of failure when it comes to your privacy
  • we’ve reached the HTTPS tipping point – meaning that more than 50% of the Internet traffic is encrypted, but 90% of the sites are still on plain, old HTTP
  • the goal of encryption: to encrypt the data for just as long as it’s needed
  • when checking into a hotel, we would rather not have running  water than not having wi-fi 🙂
  • SSL was initially the Netscape’s baby, but it was renamed to TLS under the pressure of Microsoft
  • TLS 1.3 was officially adopted as a standard, and it comes with major performance improvements as well as mandatory forward secrecy. But it will take a couple of years until it will be implemented at large scale by the hardware manufacturers 
  • TLS 1.3 should have been really named TLS 2.0 if it was not for some poorly coded, but widely used hardware
  • it becomes more and more clear the significant impact of the Snowden revelations on how people look at their privacy and web security (example: Lavabit and forward secrecy)
  • the recommended lifespan of a certificate is about 12 months
  • common domain validation methods: email challenge, DNS text record or a random HTTP path
  • client clock skew: you can change your device time to cheat on Candy Crush, but this can lead to invalid HTTPS certificates for your device only
  • if you are a big organisation, you better have a backup CA (or at least one that is ready to issue a new certificate in a matter of minutes, not days)
  • cipher suite format: TLS_KX_AUTH_CIPHER_HASH. 
    • Key Exchange (KX): just use ECDHE, or if not supported, DHE. But never use RSA because of the lack of forward secrecy
    • Authentication: RSA is still good enough
    • Symmetric key encryption (used because it’s faster than asymmetric): AES 128 is good enough; AES 256 better but slower
  • sometimes, good security practices are followed not because of the security advantages, but because of the performance improvements: ChaCha20
  • don’t create a system that relies on the human factor for security (ex. don’t ask the regular user to type https:// in his browser) 
  • good: HTTPS, better: HTTPS + HSTS, best: HTTPS + HSTS + preload. But having all the browsers load a static list of websites is not a scalable solution
  • BTW – seeing my own domain in the source code of all the modern browsers used by billions of people is cool: transport_security_state_static.json (warning – 6Mb file!) 
  • HSTS is a one-way street: you can’t easily go back from HTTPS to HTTP
  • people are terrified about changing the cookies standards / specifications
  • it looks like the attackers can overwrite your cookies even when using secure cookies over HTTPS. Cookie prefixes are a dirty, but effective solution: you just need to add __Secure- to your cookie name:

Set-Cookie: __Secure-ID=123; Secure; Domain=example.com

Tesla road trip through Europe

Written on 1 September 2018, 11:53am

Tagged with: ,

Here are a few notes on the road trip I recently took through the Central Europe with my Tesla Model S 75D.

The route along with the superchargers data points

The trip segments

  • The Tesla superchargers infrastructure is ready to support road trips through the Central Europe (Belgium, Netherlands, Germany, Austria, Italy, Switzerland, France, Luxembourg)
  • Free supercharging is awesome 🙂
  • In order to avoid waiting times to pay road tolls, I highly recommend alternatives like this 
  • Trip segments longer than 2-2.5 hours are really difficult to manage for families with kids, which makes it perfect for stopping and re-charging
  • The Supercharger locations are really nice. Ranging from nice hotels to commercial centers, they completely change your long trip experience (no more crowded and dirty toilets in gas stations)
  • Supercharging is really fast. It happened several times that the car had to charge more than needed to continue because we were not ready
  • The Superchargers are conveniently located along the highway. 5 to 10 minutes is the average detour
  • The Superchargers are not clearly marked, and that’s one of the few annoying bits. The Tesla navigation brings you in front of the hotel / commercial center, but I only saw indication panels on few locations. Maybe it’s on purpose to avoid non-EV to occupy the space?
  • Still on negative points: the Arlon supercharger was marked as ‘Reduced capacity’, making it unclear if I should use it or not. Fortunately a phone call to the hotel cleared things up
  • Charging your car on top of the Grossglocker road is awesome
  • Seeing your range increase when you come down the mountain is  satisfying
  • The luggage load does not have a big impact on the autonomy. But going 170km/h in Germany certainly does 😀

Charging at 2369 meters, on top of the road offering a view to the spectacular Grossglockner peak

After coming down the mountain – negative consumption for 42 kilometers!

Overall, I was really impressed with the trip. I had to spend more time planning, but I enjoyed a completely changed road trip experience, with smooth and silent driving and no range anxiety.
The future of transportation is here, and I am happy to be part of it!

Tuscany sunset

PS: In case you plan to order a Tesla, you can use my referral code … 

8 December 2018: scratch that. I cannot recommend buying a Tesla. Not for the moment at least.