WingNews logo WingNews GitHub [2]

armabiz's comments

armabiz | 10 years ago | on: Stop forcing arbitrary password rules

I would also add to this statement that this shouldn't be user's problem, but service problem. By forcing setting strange passwords services transfer their problem to secure passwords to user's shoulders.

Instead of following shitty password rules in forms, it's better to make it very hard or expensive to brute-force these passwords. So any heuristics to identify ubnormal/dangerous activity and take an action by decreasing attacker chances like rate limiting/captchas and so on.

  * If you see one IP trying to login with incorrect creds with really high rate - then it's probably attack.
  * If you see really lots of IPs trying to crack specific user account at the same time - then it's probably attack.
Instead of that I can see the opposite practice: service set draconian password politics, but just allow requests with incorrect credentials without any limits: "30req/sec? You're welcome, buddy! Need an API maybe?"

I can suspect something like this happened before:

"It looks like a lot of work with rate limiting and all the stuff, let's just force our users to set 10+ character passwords with one+ capital letter, one+ number, one+ special character". Oh, and in these examples there is usually cherry on cake like:

  - Dev1: "Let's not allow 2 same characters or 3 characters of same type"
  - Dev2: "Let's also force our users to change their passwords every 3 months"
  - CEO: "Brilliant ideas! We're secure now!"
These surprises are up to every developer's/another genius infosec imagination :)

So, my conclusion is that best security systems should be almost invisible to normal users and let attackers screaming.

armabiz | 10 years ago | on: Wanna quit your job and become upwork freelancer? Do not do that

This is just one of those examples where experienced freelancer will see flag "avoid!" for such kind of clients.

The truth is that places like odesk/up work/anything is just big market. There are clients willing to hire low-rate developers and micro-manage them, but at the same time there are clients who want to hire top talents from the marketplace to deal with complex tasks and get really top solutions.

Somehow I could find really interesting work in high-load startups with 4M visits/m, OpenSource or even Y-combinator startups with good culture.

To be clear, during ~10 years of experience I was at both sides of barricades: hiring developers/designers/marketeers and being software developer/freelancer myself.

So it's just experience grew into skill when you had all that shit like non-paying/rude/time wasting clients and feel how to avoid that.

armabiz | 10 years ago | on: MH17 Report

Officially Ukrainian govt call that Civil War happening in the country as "Anti-Terror Operation". To be clear, rebels occupy territory of 15K square kilometers with population 4M people.

Closing the air space would look like sign of loosing control over situation in country from the official govt side.

So this looks like not "too busy with other things", but more like miserable politics.

armabiz | 10 years ago | on: StackStorm – IFTTT for Ops

It's not only about that, - cleaning logs is just simple example. The main big thing is about IF-Then-Else and it's up to you to choose what you put after that IF.

Things like:

* Building fully automated and really complex CI/CD workflows from several tools

* Do something with your AWS or RackSpace clusters based on monitoring event from NewRelic, Sensu, Nagios

* Automatic node replacement in cluster, migrating MySQL master (sleep well!)

* Security automation, based on detecting erroneous events and automatically freezing account/activity and then notifying human about the incident

* Create JIRA issue as part of Workflow, kind of detailed report after some action being done

* Listen for new events/changes in Trello/Kafka/GitHub/RabbitMQ/anything even Twitter and trigger an action

* Folks even using it for Smart Home Automation

* ChatOps thing: obtain info about your infrastructure from Chat or trigger your favorite CM tool: Puppet, Chef, Ansible, Salt.

Most probably anyone can imagine lots of use cases with their favorite DevOps tools, how to tie them together.

Moar Automation, - less routine!

armabiz | 10 years ago | on: StackStorm – IFTTT for Ops

Also Cisco, Rackspace.

But it should work well even for small startups/companies.

Own infrastructure as code, where you can control everything and tie together Monitoring/Configuration management/Issue creation/ChatOps/Auto-remediation - is really powerful thing.

armabiz | 10 years ago | on: Parsing HTML with regexes

I think the worst thing is to parse HTML with regexes.

Had research in past related to this. The trick is that big amount of websites have broken HTML, what brings unexpected results when parsing with regexes.

Entire internet is a bit broken and it's interesting that ALL browsers do more than usual work, outside of RFCs to "fix it" and bring content to user without issues.

page 1