Russ

Author Archives: Russ

Hedge 154: Path Aware Networking Research Group

Applications generally assume the network provides near-real-time packet transmission without regard for what the application is trying to do, what kind of traffic is being transmitted, etc. Back in the real world, its often important for the network to coordinate with applications to more efficiently carry traffic offered. The Path Aware Research Group (PANRG) in the Internet Research Task Force (IRTF) is looking at the problems involved in understanding and signaling the path characteristics to applications.

In this episode of the Hedge, Brian Trammel joins Tom Ammon and Russ White to discuss the current work on path aware networking.

download

Weekend Reads 110422


The recent rise of HTTP request smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessible systems with a reverse proxy front-end… until now.


Eternity typically keeps its activities on the down low—in the Dark Web. Still, we sought to determine if LilithBot and Eternity also engaged in dealings on the Surface Web.


The Financial Conduct Authority, the UK’s financial services regulator, has begun discussions with the aim of understanding the impact of Big Tech on industry competition.


You really shouldn’t be trying to manage your own passwords when high-performance graphics cards featuring GPUs as powerful as Nvidia’s GeForce RTX 4090 could be in use by hackers.


The U.S. Federal Trade Commission enforcement action against Drizly demonstrates how the agency plans to give teeth to its new emphasis on data minimization.


In October 2020, the Global Privacy Control was created to allow consumers to exercise their privacy rights with the click of a mouse.


Finding new ways to collect information about a network and limit the meta-data exposed to others is a constant struggle we see in research as this data can be used for both Continue reading

Hedge 153: Security Perceptions and Multicloud Roundtable

Tom, Eyvonne, and Russ hang out at the hedge on this episode. The topics of discussion include our perception of security—does the way IT professionals treat security and privacy helpful for those who aren’t involved in the IT world? Do we discourage users from taking security seriously by making it so complex and hard to use? Our second topic is whether multicloud is being oversold for the average network operator.

download

Weekend Reads 102822


Data security in the public cloud has been a concern since the computing medium emerged in the mid-2000s, but cloud providers are allaying fears of theft with a new concept: confidential computing.


Fewer than half of 5G users say they’ve experienced improvements in speed or reliability over 4G according to a new survey, but that is not going to stop some in telecoms pushing ahead with efforts to deliver an enhanced version branded 5.5G.


So we should all be concerned that Mark Cox, a Red Hat Distinguished Software Engineer and the Apache Software Foundation (ASF)’s VP of Security, this week tweeted, “OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC.”


These include multiple forms of wireless, artificial intelligence, and sustainability, according to Frances Karamouzis, distinguished vice president and analyst at Gartner, and external events are making IT pros’ decisions about them even more difficult.


As the priorities of IT are driven by the needs to support business goals, one of the increasingly important needs IT leaders must to pay attention to is attracting and retaining high-quality employees.


SBOMs are meant to be something like a nutrition label on the back of a grocery store Continue reading

Hedge 152: Joel King on the network and DevOps

DevOps, SecDevOps, GitDevOps—stick DevOps on the end of anything, and it will sound cool, generation FOMO in thousands (maybe millions). What does DevOps really mean to network engineers, though? In this episode of The Hedge, we discuss examples of how the Three Ways, (described in Part One of The DevOps Handbook) of Flow, Feedback, and Continual Learning with Joel King, a leading light in this field.

download

On the ‘net: Privacy and Networking

The final three posts in my series on privacy for infrastructure engineers is up over at Packet Pushers. While privacy might not seem like a big deal to infrastructure folks, it really is an issue we should all be considering and addressing—if for no other reason than privacy and security are closely related topics. The primary “thing” you’re trying to secure when you think about networking is data—or rather, various forms of privacy.

Focusing on legal defensibility is the wrong way to look at privacy, or rather the wrong end of the stick.

What are some best practices network operators can follow to reduce their risk? The simplest way to think about best practices is to think about user rights and risks at each stage of the data lifecycle.

For the final post in this series, I’ll address two topics: the privacy implications of Domain Name System (DNS) queries, and the absolute necessity of having a plan for how to respond to a breach. Let’s start with DNS.

Controversial Reads 102222


A Chinese law that went into effect six months ago required online service providers to file details of the algorithms they use with China’s centralized regulator, the Cyberspace Administration of China (CAC).


How is deep learning going to assist rather than replace the average creative worker? If replacement is the goal — valid, by the way, if a net positive for humanity — are we paying the people responsible for work the models have been trained on?


Since the WSJ and a viral TikTok video made quiet quitting a cultural phenomenon, it seems as though every news outlet, Fortune 500 CEO, lifestyle coach, or entry-level employee has something to say about quiet quitting.


After looking into the matter, I’m less confused but more distressed: Smart heating and cooling is even more knotted up than I thought. Ultimately, your smart thermostat isn’t made to help you. It’s there to help others—for reasons that might or might not benefit you directly, or ever.


This month, LinkedIn researchers revealed in Science that the company spent five years quietly researching more than 20 million users. By tweaking the professional networking platform’s algorithm, researchers were trying to determine through A/B testing whether users end up Continue reading

Weekend Reads 102122


New research has disclosed what’s being called a security vulnerability in Microsoft 365 that could be exploited to infer message contents due to the use of a broken cryptographic algorithm.


Telcos deal with a considerable amount of multivendor devices. Although many hope/expect that these are equipped with state-of-the-art telemetry technologies, most of the time they’re not


Concerns over a critical authentication bypass vulnerability in certain Fortinet appliances heightened this week with the release of proof-of-concept (PoC) exploit code and a big uptick in vulnerability scans for the flaw.


Cracks and keygens have long been a problem for software vendors in that they allow users to install their products without needing to pay for a legitimate license. As the Internet and website development advanced and became more accessible, the number of sites offering software cracking tools grew.


The result is ChilliRack, a cooling system that Klein believes can address key challenges in the cost of cooling and the low utilization seen in many data centers.


With DevSecOps coming a long way as a discipline, there are now great frameworks and best practices for applying security gates in your CI, and later CD.


LitmusChaos is a dynamic open source chaos engineering platform Continue reading

Hedge 151: Cecilia Testart and the Value of the RPKI

If you advertise routes through a provider to the global Internet, you might be wondering if you should go through the trouble of registering in the RPKI and advertising ROAs. What is the tradeoff for the work involved in what seems like a complex process? Cecelia Testart joins Jeremy White and Russ White to discuss recent work in measuring the value of the RPKI.

download

It’s also worth reading Cecelia’s article on this topic.

Weekend Reads 101422

Pinpointing Urban Broadband Gaps


The City of Chicago asked some researchers at the University of Chicago for help to identify the neighborhoods and the number of households that are not connected to broadband.

https://circleid.com/posts/20221006-solving-the-.us-registrant-data-directory-services-rdds-conundrum
Recently ten Democratic Members of Congress wrote a letter to Alan Davidson, head of the NTIA, requesting that the “NTIA immediately cease the public disclosure of personal information about users of .US” country code top-level domain (ccTLD).

https://circleid.com/posts/20221005-four-steps-to-an-effective-brand-protection-program
This makes a comprehensive, holistic brand protection program crucial for any brand owner, including monitoring to identify potentially damaging third-party content, and using enforcement strategies to take down infringing material

A fundamental mechanism that secures the internet has been broken


National research center for Cybersecurity ATHENE says it has found a way to easily bypass this security mechanism, and in a way that means affected network operators are unable to notice.

https://www.darkreading.com/edge-articles/the-insecurities-of-cybersecurity-success
While he uses content creation as a lens for talking about mental health and the pressures he faces, he also draws parallels between making videos for the community and making tools for the community

https://circleid.com/posts/20221004-developing-models-for-the-prediction-of-domain-name-renewal-rates
One of the key issues for the Domain industry is how to accurately predict year-on-year Continue reading

Hedge 150: Micah Beck and Universal Broadband

What would the Internet look like—or what kinds of services would need to be developed and deployed—to make boradband class service available to every user? What could this kind of development do to drive entire societies forward? Micah Beck, from the University of Tennessee, joins Tom Ammon and Russ White to discuss universal broadband on this episode of the Hedge.

download

Weekend Reads 100722


Meta Platforms Inc. Chief Executive Officer Mark Zuckerberg outlined sweeping plans to reorganize teams and reduce headcount for the first time ever, calling an end to an era of rapid growth at the social media giant.


A food delivery drone operated by Alphabet subsidiary Wing landed on overhead power lines in Brisbane, Australia, and caught fire. As a result, the network was shut down by energy firm Energex to respond to the incident, leaving thousands without power.


If you know about DNS, you’ve probably heard of the Time-to-Live (TTL) field. But mistakes with TTL are more common than you might think. Here we look at the quirks of DNS record sets, parent/child domains and how to avoid TTL problems.


While some have given up on Moore’s Law, Intel CEO Pat Gelsinger clearly hasn’t. “For decades now, I’ve been in the debate: is Moore’s Law dead? And the answer is no,” he said, during his keynote at the Intel Innovation event this week.


In this post, we will demonstrate how malicious actors can force UDP DNS answers to fragment so they can inject forged DNS data into DNS resolver caches and highlight what percentage of servers are at risk.


We identify Continue reading

Weekend Reads 093022


Indeed, Juniper Research predicts that operator 5G FWA revenue will reach $24 billion worldwide by 2027, driven essentially by the use of the technology as a fibre replacement for consumer services.


Floppy disks may have gone the way of the dodo and joined other extinct media such as punched cards and paper tape, but some people are apparently still using them, and one company even continues to sell them.


Many companies also have changed how they operate, from having to deal with a more remote hybrid workforce to adapting to supply chains that have yet to completely rebound from the battering they took during the pandemic.


It’s going to be really interesting to see if Comcast, Charter, and the other big cable companies raise prices later this year. The industry has changed, and it doesn’t seem as obvious as in the past that cable companies can raise rates and that customers will just begrudgingly go along with it.


Extended spellcheck features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information (PII) and in some cases, passwords, to Google and Microsoft respectively.


Operator Telefónica and chip firm Qualcomm are putting their heads together Continue reading

Weekend Reads 092322


Arm says Nvidia’s Grace processor will be among the first chips to use its upcoming Neoverse V2 CPU cores.


The early deceased Heinz Rutishauser (1918–1970) of ETH Zurich is considered the most important Swiss pioneer from the early era of computer science.


According to Dell’Oro, datacenter switching set a new record for revenues for any second quarter in history and also for any first six months of any year since it has been keeping records.


A key requirement for a bad actor wanting to launch a brand attack is the registration of a carefully chosen domain name.


Here, we introduce the concept of the data bill of materials or personal data bill of materials, a comprehensive inventory of personal data used in software systems.


VirusTotal recently identified 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp as the most-mimicked software brands in malware attacks.


No business can own the generic word for the product it sells. We would find it preposterous if a single airline claimed exclusive use of the word “air,” or a broadband service tried to stop its rivals from using the word “broadband.”


Cisco has revealed new hardware it is willing to sell to Continue reading

Hedge 148: The SRE with Niall Murphy (part 2)

It seems like only yesterday we started talking about the Site Reliability Engineer, and their place in the IT ecosystem. Over the last several years, the role of the SRE has changed—and it’s bound to continue changing. On this episode of the Hedge, Niall Murphy joins Tom Ammon and Russ White to discuss the changing role of the SRE, and what the SRE could be.

download

If you want to read more on this topic, check out Niall’s article over a USENIX.

Weekend Reads 091622

Running a little late this week …


Smartphone shipments are forecast to shrink globally by 6.5 percent this year as many households feeling the pinch of inflation decide to prioritize paying for food, energy and other essentials over refreshing handsets.


SmartNICs have long been the domain of hyperscale and cloud datacenters, but they remain relatively uncommon in enterprise environments due in large part to the lack of software compatibility.


The last few years have demonstrated that breaches occur, no matter how much security organizations put in place.


Finally, one of the big challenges with subsea cabling has been power, and in particular how to provide power mid-cable for repeater equipment.


French cloud provider OVHcloud has opened up a Bring Your Own IP service, which it said allows customers to reuse existing public IPv4 blocks as failover addresses in the event of an outage.


Microsoft moves ahead with a plan to sunset basic authentication, and other providers are moving — or have moved — to requiring more secure authentication as well. Is your company ready?


You only have to follow cryptocurrency news casually to be struck by the size and frequency of cryptocurrency security failures.


Earlier this year, Motherboard reported Continue reading

Hedge 147: The SRE with Niall Murphy (part 1)

It seems like only yesterday we started talking about the Site Reliability Engineer, and their place in the IT ecosystem. Over the last several years, the role of the SRE has changed—and it’s bound to continue changing. On this episode of the Hedge, Niall Murphy joins Tom Ammon and Russ White to discuss the changing role of the SRE, and what the SRE could be.

download

If you want to read more on this topic, check out Niall’s article over a USENIX.

1 11 12 13 14 15 162