Security by Obscurity?

All major browsers will disable TLS1.0/1.1 support next spring. And many of them in Q1/2020. SSL Server Test by SSL Labs will start to cap the rating to B if the server offers TLS1.0/1.1 So, it is the last months to start deprecating those settings and verify that all crypto relate configs are in good condition. Really easy to do with Apache and nginx. Not so easy to do with IIS. Well, it is quite easy, if you are really familiar with editing registry (or have enough Google-fu in your backpocket). I contacted one project manager about this so he could ask from the customer if it's okay that we'll disable TLS 1.0/1.1. *sigh* I just should have disabled it and not to tell anyone, but I usually try to play by the book. ;) "But based on the data, there will be many percent of users who can't access that site anymore!" Yes, globally. This is national service, not used by many global users, I suppose. And I really think that situation in Finland is much better ...

"Umm... could you test to login to  X and see if it works the same for you as it worked for me? I'm a bit confused right now." Tried to login with my own account and with the admin account. Worked just fine. "No no no. Correct login works. But if you'll input password with x spaces, how it works then?" Tried my own account + one space as the password. Then with two. Then tried my colleagues account with various number of spaces. And then switched to test with various admin accounts. No, it shouldn't work like this. If the password was empty, we got the normal reply that the login failed, or if the password was actually wrong. But with only one or more spaces in the password field we got in. No matter what was the account. My colleague created a ticket to the manufacturer, because we still weren't sure if this was due to misconfiguration or something else. Things started to escalate quite rapidly. And not long after they had asked some mor...

As I wrote, this blog will cover also other computer things than just plain security. And this is now one of those occasions, even before the actual content is produced. Did I already mention that life's weird? So. I was going through my photo collection about a month ago. I found out one photo of a band where my friends played and I did sound to them. Year was 1999 or 2000. Those were the days... I sent the photo to the band and they were thrilled. One person asked if someone still had the recording of one particular gig. No one did. *sigh* Yesterday we were cleaning our basement with my wife, and there was one box filled with C-cassettes. One cassette had a paper sheet with the magic words. So if the paper really described what the cassette included, this was just that gig! I started calling my friends if someone might still have a cassette player in working condition. And now I'm recording the cassette to my computer, and it really was the correct one. Weird timing! If I...

I have been thinking about writing a "professional" blog for several years. Every now and then this topic pops up when I'm discussing with one of my friends. But every time I have also said that I don't have time, or enough things to share. At least not yet.  I had also spoken with him about how Pohjanmaa is not very good location for a security professional. Every security related meeting and event is so far from here that you seldom have possibilities to attend them. And now we have the CitySec movement, and HelSec + TurkuSec events etc, which I can't attend because they are so far from here. *sigh* His reply was quite short "Why don't you start a local CitySec group there?" The idea was interesting, but I just hadn't enough time to do anything for that. About month later my boss asked me to go to a local security related meeting because he couldn't. I met there two guys behind just shortly before launched #häjysec (part of the CitySe...