Crypto Chocolate
Or the art of wrapping flavourful brain fucks in a sweet chocolate shell for easier swallowing by your peers.
On this site we discuss the applications of Automation, Bots, APIs and Cryptography in enterprise environments, using open source libraries and code (or our own). With a focus on security.
On this site we assemble a number of articles, and discuss software programming with the purpose of automating, securing and certifying systems, applications and concepts.
Sort of a melting pot of all my personal writings. I hope you find it useful.
Automation & Bots
The "raison d'être" for this website, I had decided it was time I wrote a book, but considering the value of printed books today (ie; more expensive for the writer than the reader! Gulp!) I decided to go with a website instead.
So in this website, you'll find these organized writings that revolve around Automation on different kind of systems, and within different logical contexts. We try to analyze and debunk the security aspects of the different systems.
Cryptography
So, why Crypto and Chocolate?
Because we like to exagerate some of the concepts related to marketing, we chose to follow on what must be, or should be one of the most popular buzzwords in google search, that is "Crypto".
But more seriously, because this site was born out of my personal forays into the theory behind crypto-currencies. I live in the ancient Maya zone, where chocolate used to be the local currency, and the relation was simply too sweet to ignore.
Cryptocoins can be seen by some as worthless, like cacao nibs could have been perceived by the conquerors as a palatable delicacy, without consideration for the empire it really sustained, after all, chocolate was to the Mayans what gasoline was to the United States of Americas.
This is an interesting concept to tinker upon; as a Maya, you could "eat" your money, whereas as a citizen of the U.S.A., you can literally "burn" your money.
But cryptography is certainly not about gasoline or colorful chocolate wrapping, at least, it should not be. Rather, it's about security, peace of mind and restful nights. And like chocolate, the more we eat and understand cryptography, the happier we should be.
Free crypto!
Speaking of burning money and eating chocolate, I'd like to point out that in 2019, nobody should have to pay for cryptographic-related licenses.
Back in the 90s, it was frequent to have to invest heavy sums in cryptographic libraries, open-source didn't exist back then, cryptographic methods were patented, and thus packaged and sold as black boxes. That was very cumbersome, and today would be a very challenging proposal in light of the in-depth auditing processes.
The powers that are and want to remain would probably attempt to setup a standard allowing patent-holders better financial protection for their innovations, and perhaps this is strictly a military thing today, so thankfully, it doesn't affect us on the Internet. But if your enterprise is security-serious and deals with a government agency requiring your submission to a standard, you might want to analyse the technological costs and make sure it remains a profitable proposal for you.
But more seriously, the point of this web site is to show that it is possible to rollout a NIST/SOX/HIPAA/GDPR-compliant system without spending a dime on proprietary licenses.
Yes ! It is possible, it's even easy.
And its free.
Operating systems & stuff
I use, depend and rely upon OpenBSD for day to day and most of my work. I cannot sufficiently underline the fact that any security-conscious administrator should consider using OpenBSD at the forefront of their security works.
I personally loath virtualisation, the concept is "wrong" and shouldn't be depended upon for running corporate servers where security is primordial. For this reason, most of the people that know me, will rarely propose virtual-anything, (without preparing and smoothing the terrain first! :)
Virtual appliances do have their use cases, but they're very limited and should be wrapped with a hefty security package.
Security Certifications
In my life I've done numerous security certifications on behalf of different enterprises and customers. I've pretty much seen them all, and I'll be the first to admit I'm still learning. It behooves my understanding on how so many "security certified experts" can profess to understand the most complex security requirements and still recommend using Windows as an operating system for server appliances, or worse, security appliances.
I was forged on the creation of PCI-DSS, having participated in its first definitions myself as a member of the original PCI consortium. Back then I was also working for the forerunner in all things EDI and digital finances, so I also understand the EDI X12 paradigm and the FIX network.
Security certifications are moot, unless you're trying to prove yourself to get a painful job. The best you can hope for is to turn technical writer with no time to program, if that's your thing, go for it. But like my philosophy teachers would say, go study literature if you want to be a philosopher, and study philosophy if you want to become a writer.
How much document writing and legaleeze is involved with security certifications? A lot. A good algebraic mind is also required to really grasp the security ratings proposed by the NIST. Each tiny server becomes 20 pages of documentation, and little things like backups can require 50 pages of documentation, hours of testing and too often catastrophic failures to make real experts.
With that said, why would you consider security certification works in your line of work ? Usually because someone "forces" it down to you, alas. So if you're up to the challenge of becoming the next superstar, and got the writing skills to boot, then by all means keep reading this website and get on my social network.
About the author:
Stéphane Paquin, aka Selt Mitchell, is a certified system-analyst born at the right time. From the age of 6-7 he started to dabble with computers, hacking his way around assembly code on the first computer his dad bought, an Apple ][+. While his dad was away at work, Stéphane would be consumed by the code running games and started programming his own games by the age of 12. With a partial certificate in electronics, at age 17 Stéphane decided to switch over to studying system analysis instead, and got to hone his programming skills working for Total.net. After getting noticed in the corridors of Total.net for his constant good mood and killer security discoveries, Stéphane was recruited for the R&D department and ended his suit&tie career working at BCE Emergis on the first Internet payment gateways.
"I remember it as before Internet Explorer 1.0 and 1 week before Paypal. It was a very exciting time!"
-Stéphane
After renouncing the dressing code enforced by the Fortune 500s, Stéphane went on to found his own Internet Development company, named Philosophy Blue, along with an amazing team of technical gurus and salesmen, and no dress code. Philosophy Blue was well-diversified and focused on recurring revenues. Eventually the .dot-com bubble burst on us, and Philosophy Blue had to be rescued by one of his own clients; Kopel inc.
Stéphane then became sort of a technology guru for Kopel, and the rest of his story can be pieced from the documentation that he wrote for Kopel, and for the public.