2019-06-29

On Valuing "Think Time"

I have become known for introducing a key phrase with one of my clients: "Think Time" - and it is perhaps, the most important legacy I will leave behind with them. Making thinking an important and valued activity - before the flurry of activity and motion begins for actual sprint development - so that what is designed and built - will have solid underpinnings and have been planned for longevity, maintainability, extensibility, security, and performance.

2019-06-18

2019-06-18 Tuesday - SRI Hash Generator

SRI Hash Generator
https://www.srihash.org/
SRI is a new W3C specification that allows web developers to ensure that resources hosted on third-party servers have not been tampered with. Use of SRI is recommended as a best-practice, whenever libraries are loaded from a third-party source.

TLS ensures that the connection between the browser and the server is secure. The resource itself may still be modified server-side by an attacker to include malicious content, yet still be served with a valid TLS certificate. SRI, on the other hand, guarantees that a resource hasn't changed since it was hashed by a web author.


References:

  1. https://en.wikipedia.org/wiki/Subresource_Integrity
  2. https://www.w3.org/TR/SRI/
  3. https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
  4. https://wiki.mozilla.org/Security/Subresource_Integrity


2019-06-16

2019-06-16 Sunday - Nginx PGP Key - "Can't check signature: No public key"

It has been awhile since I updated my Nginx installation (last install was 1.9.2) - so I downloaded the latest (1.17.0) - and the associated http://nginx.org/download/nginx-1.17.0.zip.asc file, from here:

http://nginx.org/en/download.html

When I went to validate the PGP signatures, I observed this message being returned:

"Can't check signature: No public key"

https://gnupg.org/download/integrity_check.html
"If the output of the above command [contains "Can't check signature: No public key"], then either you don't have [the correct] distribution keys...or the signature was generated by someone else and the file should be treated suspiciously."

After checking this web page...
http://nginx.org/en/pgp_keys.html

I downloaded the public key

nginx public key (used for signing packages and repositories)
http://nginx.org/keys/nginx_signing.key
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux)
mQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxH
mQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxH W6iimD0RsfZ9oEbfJCPG0CRSZ7ppq5pKamYs2+EJ8Q2ysOFHHwpGrA2C8zyNAs4I fDR+Eny/M1RVR4xClECONF9UBB2ejFdI1LD45APbP2hsN/piFByU1t7yK2gpFyRt QxnZZIbETgcSwFtDun0XiqPwPZgyuXVm9PAbLZRbfBzm8wR/3SWygqZBBLdQk5TE 97WzGHn9MV5/TL7AmRPM4pcr3JacmtCnxXeCZ8nLqedoSuHFuhwyDnlAbu8I16O5 CAIJCgsEFgIDAQIeAQIXgAUCV2K1+AUJGB4fQQAKCRCr9b2Ce9m/YloaB/9XGrol XRrfzhrHRJFM1JnIiGmzZi6zBvH0ItfyX6ttABEBAAG0KW5naW54IHNpZ25pbmcg a2V5IDxzaWduaW5nLWtleUBuZ2lueC5jb20+iQE+BBMBAgAoAhsDBgsJCAcDAgYV kocm7l/tsVjaBQCteXKuwsm4XhCuAQ6YAwA1L1UheGOG/aa2xJvrXE8X32tgcTjr oe/PD08AoAA6fxXvWjSxy+dGhEaXoTHjkCbz/l6NxrK3JFyauDgU4K4MytsZ1HDi KoYoXWcdxaFjlXGTt6jV85qRguUzvMOxxSEM2Dn115etN9piPl0Zz+4rkx8+2vJG F+eMlruPXg/zd88NvyLq5gGHEsFRBMVufYmHtNfcp4okC1klWiRIRSdp4QY1wdrN 1O+/oCTl8Bzy6hcHjLIq3aoumcLxMjtBoclc/5OTioLDwSDfVx7rWyfRhcBzVbwD MgMW8hZXxszoICTTiQEcBBABAgAGBQJOTkelAAoJEKZP1bF62zmo79oH/1XDb29S SO93vc1evIje6lguE81HHmJn9noxPItvOvSMb2yPsE8mH4cJHRTFNSEhPW6ghmlf YtWp+MTJTPFEwlWRiyRuDXy3wBd/BpwBRIWfWzMs1gnCjNjk0EVBVGa2grvy9Jtx JKMd6l/PWXVucSt+U/+GO8rBkw14SdhqxaS2l14v6gyMeUrSbY3XfToGfwHC4sa/ Thn8X4jFaQ2XN5dAIzJGU1s5JA0tjEzUwCnmrKmyMlXZaoQVrmORGjCuH0I0aAFk RS0UtnB9HPpxhGVbs24xXZQnZDNbUQeulFxS4uP3OLDBAeCHl+v4t/uotIad8v6J Wa9ZwiVX5igxcvaIRgQQEQIABgUCTk5b0gAKCRDs8OkLLBcgg1G+AKCnacLb/+W6 -----END PGP PUBLIC KEY BLOCK----- cflirUIExgZdUJqoogCeNPVwXiHEIVqithAM1pdY/gcaQZmIRgQQEQIABgUCTk5f YQAKCRCpN2E5pSTFPnNWAJ9gUozyiS+9jf2rJvqmJSeWuCgVRwCcCUFhXRCpQO2Y Va3l3WuB+rgKjsQ= =EWWI

But, still got an error message indicating that there were missing keys:

So, I imported the following keys from the same link at the top:


And still got this warning:
I also tried specifying the "--openpgp" parameter, and still got a similar warning:
Here's the results of the "gpg --list-packets" command:






Additional Resources:

Background Reading/Research Notes:
  1. https://gnupg.org/gph/en/manual.html
  2. https://gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html#OpenPGP-Key-Management
  3. https://gnupg.org/gph/en/manual.html#AEN335
  4. https://www.dewinter.com/gnupg_howto/english/GPGMiniHowto.html
  5. https://gnupg.org/documentation/manuals/gnupg/Operational-GPG-Commands.html#Operational-GPG-Commands
  6. https://security.stackexchange.com/questions/150942/whys-the-public-key-block-different-although-fingerprint-is-same-for-gpg-keys
  7. https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key 
    1. "A "trusted signature" is a signature from a key that you trust, either because (a) you have personally verified that it belongs to the person to whom it claims to belong, or (b) because it has been signed by a key that you trust, possibly through a series of intermediate keys."
    2. Note that the warning "This key is not certified with a trusted signature" basically means, "this thing could have been signed by anybody"
    3. To avoid this problem, you would presumably download the ISC GPG key from the website and either trust it ultimately ("I believe this entity can certify itself") or sign it with your ultimately-trusted private key. 
    4. "Without proper management of key trust, signature verification is mostly theater"
  8. https://www.cyberciti.biz/faq/pgp-tarball-file-signature-keys-verification/
  9. https://www.f5.com/company/news/press-releases/f5-acquires-nginx-to-bridge-netops-devops

On Monday, I will track down the F5 CISO (or someone in their security architecture group) - and advise them of this concern (email sent to: info@f5.com) - 

At a minimum, the http://nginx.org/download/nginx-1.17.0.zip.asc - should be a generated by an account with a public key.

2019-06-15

2019-06-15 Saturday - Updating the Architecture Review Checklist


I'm working on a major update to my "Architecture Review Checklist" tool (via an Excel spreadsheet).

This will give you an idea of the expanded scope it is intended to cover.


And, you'll note the new section ("99.3 Summary Report") - which will provide a summarized count of the Gap Analysis columns, for the collection of assessed requirements - in each of the sections (3.0 -20.0, currently)




2019-06-01

2019-05-31 Friday - A Meditation on The Joy of Information Architecture Design

Photo by Zac Durant on Unsplash


Joy.

That's what I've been feeling today.

That's what I feel when I'm focused - and in the zone - deeply considering the trade-off considerations of a particularly challenging design problem.

Design as an act of creation - fills the soul with a sense of wonder - and of possibilities.

And for one who spends their creative energy sculpting ideas and concepts - in the design of information systems - the canvas can be writ as large, or as small, as you may wish to focus on - for a moment, an hour, or a day.

With a mere thought - you can zoom in, or out - from the microscopic detail of selecting just the right algorithm or data type - to the macro level concerns of how the design of value chains and information flow will affect the competitive position of an entire enterprise - and well beyond, as it may encompass information exchange and processes that affect relationships with partners, suppliers, and certainly - customers.

There is joy even in considering the selection of the tools and materials with which you will craft a solution - technologies, data structures, conventions, standards - and need to meet the sometimes competing forces/concerns of security, maintainability, simplicity, availability, performance, quality, reliability, and resilience - all while trying to keep at bay those crushing forces of negative energy: complexity & cost.

The most boundless type of joy that can be experienced in such design work - is when presented with a challenge to design that which does not yet exist. To weave the threads of creative energy within your mind - and be responsible for creating something - from nothing - with unfettered freedom to choose the "paints" and "canvas" that will satisfy your own inner muse.

When your design evokes comments from your colleagues, such as "elegant", "crisp", or "rock-solid" - it is the nearest equivalent (and as close as you will likely ever get) to receiving a standing ovation for that recognition of the excellence achieved - in the duty-of-care - that you, as a true artist of design - strives to reach, every day.

Ok...so yes, there are practical limitation and constraints imposed in any such creative endeavors - of time, of budget, of scope, and of resources - that must necessarily intrude into the cerebral composing of such symphonies of thought and ideas...but work with me here...I'm waxing poetic.

There is even a special kind of joy to be found in facing the daunting challenges of introducing foundation-breaking changes into the design of an existing legacy information system.

But that requires a certain kind of personality - that may be rarer still.

Because, let's face it - not everyone is going to be enthusiastic to design the solution when the business proverbially asks you to change the transmission and the tires - while the car is hurtling down the highway at 80 mph.

Photo by Lucas Ludwig on Unsplash

Copyright

© 2001-2021 International Technology Ventures, Inc., All Rights Reserved.