GeoLocation, FTPS, Networking, PIN, Redirect, Session   

1. Setting location in Firefox. geo.provider.network.url = data:application/json,{"location": {"lat": 0.0, "lng": 0.0, "accuracy": 1}, "status": "OK"} - Done. Now I can use location button with desktop system when I want to and it automatically brings information from correct location. The IP based database doesn't provide enough details. Especially if and when using VPN and or other tunneling.

2. As usual, enjoyably long and painful process. Now I've got finally FTPS over TLS (@ Wikipedia) configured with 10 year certificate, hash fingerprints and perfectly working configuration with GnuTLS (@ Wikipedia) and TLSv1.2. As expected, it took lot of straddling and many painful moments. But after all it works. Only thing I would like to improve, is to bump the TLS version. But it's up to the libraries being used. Otherwise it's all good. The hash check is enforced (and actually verified!), so if it fails, the clients fail to connect as designed!

3. Investing and (human) networking, trying slightly shift focus from privacy and security and technical stuff to bit more higher level. AI, analytics, investing and networking. I think the path with privacy and security topics is quite much covered. There's nothing to say, and just the age old endless pointless (?) arguments, which there is no correct answer. Yet of course the investment topic is also very full of similar things. This time it's different, or is it? Who knows. One famous quote: "Markets can remain irrational longer than you can remain solvent." - At least that's especially true if using debt leverage and or short selling.

4. Remote Control - OMFG!!! There has been several month long discussions about unauthorized abuse by hackers. They claim that someone has hacked the system blah blah blah. Today I were slightly bored and annoyed and thought let's see... I went to the device with remote management console, did read the QR code from it. It asked for PIN, I tried three times different PIN (@ Wikipedia) codes (I'm not disclosing what code exactly) and the third one I tried, didn't give me any error. Ok, I've just gained access to the system management. - For this, I'm going to abuse the system they abused just for once. If there's going to be any accusations or whatever about this. I'm gonna just laugh them off. This is insurmountable stupidity during the PIN code selection as usual. They got just what they asked for and deserved. - I just wonder how and if anyone else could have done the same. - BLEEP! - Yes, I'm going to report this. Just abusing it once, because I do deserve it. - Yes, I'm in the management board of the organization which this regards. If they do whine about it, I'm good explaining it off. - And that's actually why I also know about the mentions of previous potential "abuse cases". - Did I abuse the vulnerability, yes? - Did it matter at all, no? - Did reporting the issue improve security, yes? - Was the "hacking" inevitable, yes. - Did it cause any costs, yes, some euro cents in form of the electricity bill. - I do admit that extremely bad security doesn't make abuse right, but doing it just one to prove the point... I just did it to prove the point. Accept the facts. And the things shouldn't be the way they are anyway.

5. Redirect loops - Services which first create redirection loops and then complain about "too many requests" are just ahem, ridiculous. Almost makes me want to bombard them with insane amount of requests and just say it's your own fault. - Even funnier it gets when they don't fix those flaws in minutes, like oh bleep, gotta fix this, done, fashion. Like any sane person would make when causing such configuration flaws on web-site.

6. Don’t Use Session (Signal Fork) (@ soatok.blog) - Very nice post about Session chat app security, it's hilarious. Yet unfortunately nothing new.

7. 6 day IP certs (@ letsencrypt.org) - Like the 90 days certificate renewal wouldn't be creating enough problems. - Well, if you feel like it, now it's possible to renew the certificates even more often for improved security. Also the alternate validation method 'TLS-ALPN-01' is very nice indeed. For situations where the web-server itself handles the certificates, without additional tools. Not a great match with existing tool stack, but might become very common with newer HTTPS servers using it automatically.

2025-07-27