OSHA issues ventilation guidance to workplaces for airborne #SARSCoV2: – HVAC systems should be fully functional; – Prevent personal fans from blowing air from one worker to another; – Use HVAC filters w/MERV rating 13 or higher; – Increase HVAC’s outdoor air intake; – Open windows/sources of fresh air; – Be sure exhaust air isn’t pulled back into the building from HVAC air intakes or open windows; – Use portable HEPA fan/filtration to increase clean air; – Restrooms fans should operate max capacity, and remain on.These are all eminently sensible. Now to see if anything equivalent happens on this side of the pond.
Finally, a good take on Apple’s OCSP crapfest over the past weekend.
If Apple’s OCSP check was built to soft-fail [which is apparently the case], then why did apps hang when the OCSP Responder was down? Probably because this was actually a different failure case: the OCSP Responder was not completely down, it was performing badly. Due to the load added by millions of users worldwide upgrading to macOS “Big Sur”, Apple’s servers slowed to a crawl, and although they weren’t properly answering OCSP queries, they were working just enough that the soft-fail didn’t trigger.IMO — this is a big fail by Apple. Network callouts to perform OCSP checks on app startup are a critical case where a Hystrix-level infrastructure of timeouts and short-circuits were appropriate to fail safely in as many situations as possible. The article goes on:
By adding several mundane failure modes to the verification process, OCSP spoils any cryptographic elegance the code signing and verifying process has. While OCSP is also widely used for TLS certificates on the internet, the large number of PKI certificate authorities and relaxed attitude of browsers means that failures are less catastrophic. Moreover, people are accustomed to seeing websites become unavailable from time to time, but they don’t expect the same from apps on their own devices. macOS users were alarmed at how their apps could become collateral damage for an infrastructure issue at Apple. Yet this was an inevitable outcome arising from the fact that certificate verification depends on external infrastructure, and no infrastructure is 100% reliable. Scott Helme also has concerns about the power that Certificate Authorities gain when certification revocation actually works effectively. Even if you aren’t bothered about the potential for censorship, there will be occasional mistakes and these must be weighed against the security benefits. As one developer discovered when Apple mistakenly revoked his certificate, the risk of working within a locked down platform is that you may get locked out.