Worth Reading: Implementing multifactor authentication in the enterprise

IT systems must manage users and control access privileges to protect sensitive resources. This function is usually implemented in enterprise networks through authentication (verification of identity), authorization (control of access privileges) and accounting (recording of actions for auditing)—an “AAA” security framework. —Data Center Journal

The post Worth Reading: Implementing multifactor authentication in the enterprise appeared first on 'net work.

Reaction: Keith’s Law

Ethan pointed me to this post about complexity and incremental improvement in a slack message. There are some interesting things here, leading me in a number of different directions, that might be worth your reading time. The post begins with an explanation of what the author calls “Keith’s law”—

I am going to paraphrase the version he shared over lunch at the Facebook campus a few years ago and call it Keith’s Law: In a complex system, the cumulative effect of a large number of small optimizations is externally indistinguishable from a radical leap. If you want to do big things in a software-eaten world, it is absolutely crucial that you understand Keith’s Law. —Breaking Smart

The author attributes this to the property of emergence; given I don’t believe in blind emergence, I would attribute this effect to the combined intertwining of many intelligent actors producing an effect that at least many of them probably wanted (the improvement of the complex system), and each of them working in their own spheres to achieve that result without realizing the overall multiplier effect of their individual actions. If that was too long and complicated, perhaps this is shorter and better—

The law of Continue reading

Worth Reading: IoT devices and DDoS attacks

Embedded Internet-of-Thing (IoT) botnets are not a new phenomenon – we’ve seen them leveraged to launch DDoS attacks, send spam, engage in man-in-the-middle (MitM) credentials hijacking, and other malicious activities for several years. For example, a few years ago, a 75,000-strong botnet comprised of embedded devices – consumer broadband routers, in that instance – was found to be launching DDoS attacks. We routinely see IoT botnets comprised of webcams, DVRs, cable television set-top boxes, satellite set-top boxes, etc. used to launch DDoS attacks. —Arbor

The post Worth Reading: IoT devices and DDoS attacks appeared first on 'net work.

Worth Reading: The need for loud cyber weapons

In general, a tool used for offensive cyber operations involves a penetration mechanism and a payload. It’s often been observed that tools for exploitation (intelligence collection) and for attack (destruction or degradation) make use of the same techniques for penetration and differ primarily in payload (that is, in what is done to the target after penetration has been achieved). —Lawfare

The post Worth Reading: The need for loud cyber weapons appeared first on 'net work.

Biometric Password Protection

The post Biometric Password Protection appeared first on 'net work.

Worth Reading: The hidden world of news cameras

Most professional photographers are familiar with the fact that their cameras embed a wealth of metadata hidden in the images they create in formats like EXIF, IPTC and XMP. This metadata typically records the camera, lens and flash settings used to create the photograph, reflecting whether the image is a close-up macro portrait or a distant zoom lens shot. Yet, the fields can also contain textual descriptions of the image written by the photographer, authorship information, subject keywords, GPS coordinates, the names of public figures and events depicted in the image and a myriad other pieces of information that allow the image to be easily cataloged and searched. —Forbes

The post Worth Reading: The hidden world of news cameras appeared first on 'net work.

Worth Reading: IPv6 and the DNS

The exhortations about the Internet’s prolonged transition to version 6 of the Internet Protocol continue, although after some two decades the intensity of the rhetoric has faded and, possibly surprisingly, it has been replaced by action in some notable parts of the Internet. But how do we know there is action? How can we tell whether, and where, IPv6 is being deployed in today’s Internet? —Potaroo

The post Worth Reading: IPv6 and the DNS appeared first on 'net work.

Reaction: DevOps and Security

Over at TechBeacon, my friend Chris Romeo has an article up about DevOps and security. It’s interesting to me because this is actually an area I’d never thought about before, even though it makes sense. Given DevOps is essentially writing software to control infrastructure (like routers, compute, and storage), and software needs to be written in a way that is secure, then it should be obvious that DevOps software should be developed with good security principles gleaned from software development as part of the foundation.

And here we face a challenge, as Chris says—

There is no standard that defines security for DevOps, and the chances of a standard ever developing is small because different organizations are doing things their own way, and can’t even agree on a standard name. And while there is a standard for the secure development lifecycle (ISO/IEC 27034-1), few organizations are ever validated against it.

The key point in here is that every organization is doing things their own way. This isn’t wrong, of course, because every organization must have some “snowflakiness” to justify its existence, and that “snowflakiness” is often likely to show up, in a large way, in something like handling resources within Continue reading

Worth Reading: Microsoft and FPGAs

Microsoft’s embrace of programmable chips knowns as FPGAs is well documented. But in a paper released Monday the software and cloud company provided a look into how it has fundamentally changed the economics of delivering hardware as a service thanks to these once-specialty pieces of silicon. —The Next Platform

The post Worth Reading: Microsoft and FPGAs appeared first on 'net work.

Worth Reading: Some notes on today’s DDoS

As a techy, I want to know the composition of the traffic. Is it blindly overflowing incoming links with junk traffic? Or is it cleverly sending valid DNS requests, overloading the ability of servers to respond, and overflowing outgoing link (as responses are five times or more as big as requests). Such techy details and more make a big difference. Was Dyn the only target? Why were non-Dyn customers effected? —Errata Security

The post Worth Reading: Some notes on today’s DDoS appeared first on 'net work.

I2RS and Remote Triggered Black Holes

In our last post, we looked at how I2RS is useful for managing elephant flows on a data center fabric. In this post, I want to cover a use case for I2RS that is outside the data center, along the network edge—remote triggered black holes (RTBH). Rather than looking directly at the I2RS use case, however, it’s better to begin by looking at the process for creating, and triggering, RTBH using “plain” BGP. Assume we have the small network illustrated below—

In this network, we’d like to be able to trigger B and C to drop traffic sourced from 2001:db8:3e8:101::/64 inbound into our network (the cloudy part). To do this, we need a triggering router—we’ll use A—and some configuration on the two edge routers—B and C. We’ll assume B and C have up and running eBGP sessions to D and E, which are located in another AS. We’ll begin with the edge devices, as the configuration on these devices provides the setup for the trigger. On B and C, we must configure—

• Unicast RPF; loose mode is okay. With loose RPF enabled, any route sourced from an address that is pointing to a null destination in the routing table will Continue reading

Worth Reading: Hack Cameras, DVRs, and DDoS

A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests. —Krebs on Security

The post Worth Reading: Hack Cameras, DVRs, and DDoS appeared first on 'net work.

Worth Reading: Facebook’s video views

The takeaway from Facebook’s bombshell that it had overstated a key measure of video ad viewership on its pages by about 80%: It’s not that the social-media giant “miscalculated” its numbers. It’s a fresh view into Facebook’s arrogance, both toward its advertisers and its nearly two billion users. Nothing’s new under the sun, of course — pride has goeth-ed before a fall for all of human history. And obviously does in the digital sphere, too: Facebook FB, +0.05% and its principal digital advertising rival, Google GOOG, +0.04% have been behaving as though customs and principles that have governed the advertising business for its entire history simply don’t apply to them. —Market Watch

The post Worth Reading: Facebook’s video views appeared first on 'net work.

Butterfly

The post Butterfly appeared first on 'net work.

Worth Reading: The psychology of bad passwords

A Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits. —helpnetsecurity

The post Worth Reading: The psychology of bad passwords appeared first on 'net work.

Worth Reading: Increasing the strength of the root zone

A few weeks ago, on Oct. 1, 2016, Verisign successfully doubled the size of the cryptographic key that generates Domain Name System Security Extensions (DNSSEC) signatures for the internet’s root zone. With this change, root zone Domain Name System (DNS) responses can be fully validated using 2048-bit RSA keys. This project involved work by numerous people within Verisign, as well as collaborations with the Internet Corporation for Assigned Names and Numbers (ICANN), Internet Assigned Numbers Authority (IANA) and National Telecommunications and Information Administration (NTIA). —Circle ID

The post Worth Reading: Increasing the strength of the root zone appeared first on 'net work.

Worth Reading: What the IoT means to you

In the broadest possible terms, the Internet of Things is the connectivity of things that are able to communicate data about themselves to the “network” or to be controlled from the network. This means that the Internet of Things is as nebulous, ubiquitous and diverse as the internet itself, examples of IoT devices could range from the iKettle to devices use sophisticated monitoring of HD video to support mission critical applications like traffic flow management. —ECI

The post Worth Reading: What the IoT means to you appeared first on 'net work.

Worth Reading: The balancing act of freelancing

By the end of the work day, the last thing you want to do is look at another pixel. Since 8:30am, you’ve been firing on all cylinders. Deadlines, meetings and requests have been swarming your desk as restlessly as your fingers against your keys. The mental expenditure you endure each day is taxing. Yet, you’re not done. You have even more deadlines, calls, meetings and requests to honor once you get home–your place of solitude. They belong to your freelance clients. You must pay them the same amount of attention and focus as you give to your day job. —Line 25

The post Worth Reading: The balancing act of freelancing appeared first on 'net work.

Thoughts on the Tomahawk II

Broadcom released some information about the new Tomahawk II chip last week in a press release. For those who follow hardware, there are some interesting points worth considering here.

First, the chip supports 256x25g SERDES. Each pair of 25G SERDES can be combined into a single 50g port, allowing the switch to support 128 50g ports. Sets of four SERDES can be combined into a single 100g port, allowing the switch to support 64 100g ports.

Second, there is some question about the table sizes in this new chip. The press release notes the chip has “Increased On-Chip Forwarding Databases,” but doesn’t give any precise information. Information from vendors who wrap sheet metal around the chipset to build a complete box don’t seem to be too forthcoming in their information about this aspect of the new chip, either. The Tomahawk line has long had issues with its nominal 100,000 forwarding table entry limit, particularly in large scale data center fabrics and applications such as IX fabrics. We’ll simply have to wait to find out more about this aspect of the new chip, it seems.

Third, there is some question about the forwarding buffers available on the chip. Again, the Tomahawk Continue reading

Worth Reading: The EU is pushing new IoT security rules

The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections. iotb2According to a report at Euractiv.com, the Commission is planning the new IoT rules as part of a new plan to overhaul the European Union’s telecommunications laws. “The Commission would encourage companies to come up with a labeling system for internet-connected devices that are approved and secure,” wrote Catherine Stupp. “The EU labelling system that rates appliances based on how much energy they consume could be a template for the cybersecurity ratings.” —Krebs on Security

The post Worth Reading: The EU is pushing new IoT security rules appeared first on 'net work.