Russ

Author Archives: Russ

Hedge 159: Roundtable on SONiC, Antipatterns, and Resilience through Acquisition

In this last episode of 2022, Tom, Eyvonne, and Russ sit around and talk about some interesting things going on in the world of network engineering. We start with a short discussion about SONiC, which we intend to build at least one full episode about sometime in 2023. We also discuss state and antipatterns, and finally the idea of acquiring another company to build network resilience.

download

Weekend Reads 121622


Today, we released the latest issue of The Domain Name Industry Brief, which shows that the third quarter of 2022 closed with 349.9 million domain name registrations across all top-level domains, a decrease of 1.6 million domain name registrations, or 0.4%, compared to the second quarter of 2022.


Since 2019, unpatched ESXi servers have been targets of ongoing in-the-wild attacks based on two vulnerabilities in the ESXi’s OpenSLP service: CVE-2019-5544 and CVE-2020-3992.


In many cases, once a high-risk security vulnerability has been identified in a product, a bigger challenge emerges: how to identify the affected component or product by its assigned name in the National Vulnerability Database (NVD).


A developer’s cryptographic signing key is one of the major linchpins of Android security. Any time Android updates an app, the signing key of the old app on your phone needs to match the key of the update you’re installing.


Hashing is one of the pillars of cybersecurity. From securing passwords to sensitive data, there are a variety of use cases for hashing.


Cloud gaming needs wide access to 5G networks to thrive. Performance requirements for streaming the latest AAA titles on mobile devices are already high and Continue reading

Controversial Reads 121022


Simply put, we have been right all along, and we now have the conflicting circuit court precedent to prove it. The Supreme Court needs to consider the Fourth Circuit’s arguments and address this split between circuits.


Do we let Big Tech have access to our private communications and free email accounts because it’s so easy? Once you’ve said yes — and who among us has not? — it’s not a stretch to think that Big Data already has almost all your information, so why get picky at the next juncture?


Internet infrastructure services—the heart of a secure and resilient internet where free speech and expression flows—should continue to focus their energy on making the web an essential resource for users and, with rare exceptions, avoid content policing.


Then Elon announced Apple, the most powerful company in the world, threatened to remove Twitter from the app store.


A California judge has cleared the way for a potentially massive class-action lawsuit against Google, which stands accused – again – of anticompetitive practices surrounding its Play store.


There is a growing trend in American culture of what the literary theorist Peter Brooks calls “storification.”


Targeted advertising’s days Continue reading

Weekend Reads 120922


In this article, I will explain how SSHFP DNS records can help mitigate such risks and share the results of our large-scale analysis.


A vulnerability in IBM Cloud databases for PostgreSQL could have allowed attackers to launch a supply chain attack on cloud customers by breaching internal IBM Cloud services and disrupting the hosted system’s internal image-building process.


Amazon Web Services has signaled that the future of cloud computing cannot rely alone on general-purpose chips with its new Graviton3E silicon, joining AMD and Intel in introducing specialized central processing units that are meant to perform certain applications faster and more efficiently.


A recent statement from Italy’s data protection authority, the Garante, opens a new chapter in the never-ending story of profiling cookies.


While analyzing its capabilities, Akamai researchers have accidentally taken down a cryptomining botnet that was also used for distributed denial-of-service (DDoS) attacks.


Biometrics is supposed to be one of the underpinnings of a modern authentication system. But many biometric implementations (whether that be fingerprint scanes or face recognition) can be wildly inaccurate, and the only universally positive thing to say about them is they’re better than nothing.


Geolocation providers usually focus on locating end user devices at Continue reading

Hedge 157: Vendor Lock-in with Frank Seesink

Vendor lock-in has been an issue in networking for the entire time I’ve been working in the field—since the late 1980s. I well remember the arguments over POSIX compliance, SQL middleware standards, ADA, and packet formats. It was an issue in electronics, which is where I worked before falling into a career in computer networks, too. What does “vendor independence” really mean, and what are the ways network operators can come close to having it? Frank Seesink joins Russ White and Tom Ammon to rant about—and consider—solutions to this problem.

download

Troubleshooting Live Training

My next live training course is coming up on the 16th of December: Troubleshooting. This is one of those classes where I’m taking formal training from a former life (electronic engineering) and applying it to the networking world. From the description—

Troubleshooting is a fundamental skill for all network engineers, from the least to most experienced. However, there is little material on correct and efficient troubleshooting techniques in a network engineering context, and no (apparent) live training in this area. Some chapters in books exist (such as the Computer Networking Problems and Solutions, published in December 2017), and some presentations in Cisco Live, but the level of coverage for this critical skill is far below what engineers working in the field to develop solid troubleshooting skills.

This training focuses on the half-split system of troubleshooting, which is widely used in the electronic and civil engineering domains. The importance of tracing the path of the signal, using models to put the system in context, and the use of a simple troubleshooting “loop” to focus on asking how, what, and why are added to the half-split method to create a complete theory of troubleshooting. Other concepts covered in this course are the Continue reading

Weekend Reads 120222


Nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability, a new study shows.


75% of lookalike domains are registered with unrelated third parties and target these companies.


China’s antitrust watchdog, the State Administration for Market Regulation (SAMR), has proposed a revision of the nation’s competition law that targets tech firms.


A new report claims that Meta’s tracking Pixel has been used to collect your financial information when using popular tax filing services to send in your return.


Did you know that a Magniber ransomware infection can cost you a ransom of as much as US$2,500?


New York State has banned a practice becoming more common in the crypto-mining industry – the rescuing and repurposing of mothballed fossil fuel plants to exclusively provide energy for mining digital currency.


DDoS attacks target certain networks, flooding them with unwanted traffic from many different sources and causing interruptions to online services for legitimate users.


John the Ripper (JtR) is a popular password-cracking tool. John supports many encryption technologies for Windows and Unix systems (Mac included).


While in the near future most devices in the car will Continue reading

Hedge 156: Functional Separation in Network Design with Kevin Myers

Modularization is a crucial part of network design because it supports interchangeability, reduces the size of failure domains, and controls security domains. One critical aspect of modularization is functional separation, which argues for separating services onto specific physical and logical resources. Kevin Myers joins Tom Ammon and Russ White on this episode of the Hedge to discuss the theory and importance of functional separation in network design.

download

Controversial Reads 111922


So in terms of the daily lived experience of most people reading this, truly autonomous vehicles just aren’t going to happen.


When the federal government gets together with social media giants to censor critics of the government, is that free speech or censorship?


If you own an advanced Android phone, you may find that Google Assistant will interrupt conversations to offer its own “insights”. Google is also pursuing “prebunking” of what it considers “misinformation” with preemptive propaganda campaigns.


The outcomes of such a system are incentives to not be the new person on a team, to not ask questions, to not work on new and unfamiliar efforts, and to not work together at all generally. Those behaviors become embedded in an organization’s DNA, despite whatever is advertised publicly.


Today’s business headlines herald a harsh reality for Big Tech: tumult at Twitter; meltdown at Meta; atrophy at Alphabet; adjustments at Amazon. Layoffs, sliding stock and shrinking valuations are hallmarks of the moment.


To understand the sudden downfall of the now-collapsed crypto exchange FTX, you have to go back to the beginning.


Twitter was their home. Elon broke into their home. Then he kicked out their friends, and told everyone left to Continue reading

Weekend Reads 111822


Internet users are being tricked into installing browser extensions that can hijack their web searches.


An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews.


Silicon Valley startup Eliyan thinks its technology for enabling chiplet-based designs can best those from semiconductor giants Intel and TSMC by providing better performance, higher efficiency, fewer manufacturing issues, and more supply chain options.


While the number of cleartext passwords is an improvement compared with the 96,361 passwords exposed in 2020 and the more than 100,000 sent in the clear in 2019, there is still room for improvement, says Jessica Bair Oppenheimer, director of technical alliances at Cisco Secure.


Qualcomm and Arm have been engaged in one of those very entertainingly bitter court fist-fights that the industry throws up when friends fall out over money.


Unbound 1.16.0 adds support for Extended DNS Errors (EDEs) as codified in RFC 8914.


I suspect this reflects a significant change in the economics of the sector. For the last 20 years, Silicon Valley has had the Continue reading

Mean Time to Innocence is not Enough

A long time ago, I supported a wind speed detection system consisting of an impeller, a small electric generator, a 12 gauge cable running a few miles, and a voltmeter. The entire thing was calibrated through a resistive bridge–attach an electric motor to the generator, run it at a series of fixed speed, and adjust the resistive bridge until the voltmeter, marked in knots of wind speed, read correctly.

The primary problem in this system was the several miles of 12 gauge cable. It was often damaged, requiring us to dig the cable up (shovel ready jobs!), strip the cable back, splice the correct pairs together, seal it all in a plastic container filled with goo, and bury it all again. There was one instance, however, when we could not get the wind speed system adjusted correctly, no matter how we tried to tune the resistive bridge. We pulled things apart and determined there must be a problem in one of the (many) splices in the several miles of cable.

At first, we ran a Time Domain Reflectometer (TDR) across the cable to see if we could find the problem. The TDR turned up a couple of hot spots, Continue reading

Weekend Reads 111122

https://www.darkreading.com/risk/build-security-around-users-a-human-first-approach-to-cyber-resilience

User-first security must begin with an understanding of how people use computing technology. We have to ask: What is it that makes users vulnerable to hacking via email, messaging, social media, browsing, file sharing?


How does the industry effectively assess software security, enabling an approved list (allowlist) of software and libraries on distributed systems across multiple industries?


The COVID pandemic pushed a lot of school coursework to the internet, with an increased reliance on true/false and multiple-choice tests that can be taken online and graded quickly and conveniently.


Top chipmakers Nvidia, Intel, ARM, and AMD are providing the hardware hooks for an emerging security concept called confidential computing, which provides layers of trust through hardware and software so customers can be confident that their data is secure.


Rather than ensuring security, the focus across the software development life cycle (SDLC) is beating the competition to market. In fact, innovation is often seen at odds with security — the former believed to be fast-paced and productive, and the latter a roadblock that stifles quick-moving application development.


Responding to a recent surge in AI-generated bot accounts, LinkedIn is rolling out new features that it hopes will help users make Continue reading

Hedge 154: Path Aware Networking Research Group

Applications generally assume the network provides near-real-time packet transmission without regard for what the application is trying to do, what kind of traffic is being transmitted, etc. Back in the real world, its often important for the network to coordinate with applications to more efficiently carry traffic offered. The Path Aware Research Group (PANRG) in the Internet Research Task Force (IRTF) is looking at the problems involved in understanding and signaling the path characteristics to applications.

In this episode of the Hedge, Brian Trammel joins Tom Ammon and Russ White to discuss the current work on path aware networking.

download

Weekend Reads 110422


The recent rise of HTTP request smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessible systems with a reverse proxy front-end… until now.


Eternity typically keeps its activities on the down low—in the Dark Web. Still, we sought to determine if LilithBot and Eternity also engaged in dealings on the Surface Web.


The Financial Conduct Authority, the UK’s financial services regulator, has begun discussions with the aim of understanding the impact of Big Tech on industry competition.


You really shouldn’t be trying to manage your own passwords when high-performance graphics cards featuring GPUs as powerful as Nvidia’s GeForce RTX 4090 could be in use by hackers.


The U.S. Federal Trade Commission enforcement action against Drizly demonstrates how the agency plans to give teeth to its new emphasis on data minimization.


In October 2020, the Global Privacy Control was created to allow consumers to exercise their privacy rights with the click of a mouse.


Finding new ways to collect information about a network and limit the meta-data exposed to others is a constant struggle we see in research as this data can be used for both Continue reading

Hedge 153: Security Perceptions and Multicloud Roundtable

Tom, Eyvonne, and Russ hang out at the hedge on this episode. The topics of discussion include our perception of security—does the way IT professionals treat security and privacy helpful for those who aren’t involved in the IT world? Do we discourage users from taking security seriously by making it so complex and hard to use? Our second topic is whether multicloud is being oversold for the average network operator.

download

Weekend Reads 102822


Data security in the public cloud has been a concern since the computing medium emerged in the mid-2000s, but cloud providers are allaying fears of theft with a new concept: confidential computing.


Fewer than half of 5G users say they’ve experienced improvements in speed or reliability over 4G according to a new survey, but that is not going to stop some in telecoms pushing ahead with efforts to deliver an enhanced version branded 5.5G.


So we should all be concerned that Mark Cox, a Red Hat Distinguished Software Engineer and the Apache Software Foundation (ASF)’s VP of Security, this week tweeted, “OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC.”


These include multiple forms of wireless, artificial intelligence, and sustainability, according to Frances Karamouzis, distinguished vice president and analyst at Gartner, and external events are making IT pros’ decisions about them even more difficult.


As the priorities of IT are driven by the needs to support business goals, one of the increasingly important needs IT leaders must to pay attention to is attracting and retaining high-quality employees.


SBOMs are meant to be something like a nutrition label on the back of a grocery store Continue reading

1 10 11 12 13 14 162