September 30, 2022
I still remember when 15 years ago, the topic of Infrastructure as Code was beginning to be discussed.
At the time, the majority of tools we know and use for Infrastructure as Code did not exist.
Some people and companies realized the need for such a paradigm, while many others were skeptical or against it.
In the last few months, I had a kind of a Deja Vu when I started to have conversations with some stakeholders around Policy as Code, or as someone prefers to call it, Compliance as Code.
The idea behind Policy as Code is that if it was possible to write policies in a language that is both easily readable by a human and a computer, we could better govern IT.
Policy as Code is not a new concept by itself.
In fact, in Infrastructure as Code software such as Ansible, it is possible to create a Playbook to assess if a system is in the expected state.
The problem, though, is that a Playbook written with Ansible with this scope is not always evident if read by people that are not highly trained on the topic.
Read More 
June 30, 2022
In the last year, I moved more and more data and services to hardware that I can directly control.
A direct consequence of this is that I started to run more hardware at my house.
This change has been very positive, but it is suboptimal when not at home.
All services I run are secure and could be shared directly on the web, but I prefer a more cautious approach.
For this reason, I decided to create a VPN.
Read More 
May 23, 2022
We have seen a massive increase in the “real world” dependency on digital services in the last few years.
This process will probably continue in the future, and we are not ready for it.
In the same few years, we have seen a lot of cases where digital services went offline or got hacked.
In a society that relies more and more on digital services, we can not afford such services not to be available or secure.
Although security is essential, I want to focus on availability for now.
Read More 
April 25, 2022
I started to use ZX2C4’s pass back in 2016 to manage my passwords.
I liked the idea behind pass, but I found it too hackish.
For this reason, I moved to gopass at the end of 2017 because it was a far more complete implementation of pass from my point of view.
gopass is now part of my system, and I’m so used to it that it is hard for me to think about my workflows without gopass into them.
Read More 
October 31, 2021
I often see people and companies moving their workloads to the cloud.
Speaking with them, they explain that the cloud is cheaper, more flexible, and more reliable than their current infrastructure.
To further increase investment return, they often target a specific (single) cloud to reduce management costs and complexity.
By itself, this trend seems a very reasonable one.
The risk is that, sometimes, people do not consider the less immediate risks around this move.
There are many of those risks, and if there is an appetite for it, I’ll be talking further about the other dangers, but now I would like to focus on a specific one: the risk of a shutdown.
Read More 
July 28, 2021
A few years ago, I wrote a blog post on managing CORS headers with Negroni.
Lately, I’ve created a new API server that needed to be accessible from the browser, but this time I used a different technology, more precisely gRPC-Gateway.
Few months after I wrote that blog post, I stopped writing new REST services by hand.
I did not rewrite all the services that used the old paradigm just because they needed a fix or a new feature, but for all new services, I moved to gRPC with gRPC-Gateway.
Read More 
May 31, 2021
Three years passed from the moment the GDPR become binding law in the European Union.
On the one hand, I’m happy that it has already been three years, but on the other hand, I’m impatient to see GDPR fully applied.
Cookies
Cookies are always a hot theme when we talk about GDPR.
I still see websites handing out cookies (first and third parties ones) without a cookie banner or to users who have not pressed the “accept” button on the cookie banner.
Also, speaking about cookie banners, the majority are not compliant since they often make it hard to refuse cookies or pre-select cookie acceptance.
This situation is unfortunate, but we see some movement on this (like the noyb initiative).
If those initiatives continue, as I hope, next year, the cookie situation will be much better!
Read More 
September 13, 2020
On September 1st, 2020, the maximum lifetime of TLS certificates signed by Public Certificate Authority got reduced to 13 months.
How did we arrive here, and what’s to come?
Let’s start from understanding who decides the maximum lifetime of certificates and many other limitations around them.
Who decides the TLS certificate guidelines
Ultimately, the client (often a browser or an operating system) identifies the certificate as trustable or not (based on the CA that signed it as well as many other parameters), so the client can decide which parameters to look for and which values are acceptable and which are not.
This clients’ freedom makes the whole situation very messy since every client can decide their own set, and a subset of the options accepted by every client can be very small if not empty.
Read More 
May 25, 2020
As it is becoming a sort of tradition, here we are, after two years from the enactment of GDPR to see how it performs in the real world.
In our previous yearly check, we analyzed the situation from two points of view: the banners and the fines.
Let’s see how those two topics have evolved in the last year.
The Cookie Banners
On the 1st of October 2019, with the judgment in case C-673/17, the European Union Court of Justice clarified that pre-ticketed consent checkboxes are not sufficient since the consent has to be expressed actively by the user.
This requirement was clear to me since my initial approaches to the GDPR, since it was clear that this was the only way to respect the Regulation’s spirit.
Still, it is very nice to see it stated explicitly by the European Union Court of Justice.
Read More 
March 1, 2020
Google Cloud provides the capability of terminating a VPN connection with a VPN Gateway.
The problem is that the VPN Gateway - at the moment - is relatively limited in capabilities.
One of the missing capabilities I would have liked to see implemented is the NAT capability.
VPNs can be used to connect the machines of two different parties.
Although this is usually not the best architectural pattern, since a connection on the public internet encrypted at the Transport Layer is often a better option, it’s relatively common in more legacy environments.
When a VPN is used in this way, it is very common to incur in an IP space collision, and therefore it becomes required to use some form of NAT.
Let’s see how to implement this scenario in Google Cloud without terminating the VPN directly on an instance (which is possible but has its problems, and maybe we’ll be discussing it some point in the future).
Read More 
(Fabio Alessandro Locati|Fale)'s blog