Russ

Author Archives: Russ

Learning to Ride

Have you ever taught a kid to ride a bike? Kids always begin the process by shifting their focus from the handlebars to the pedals, trying to feel out how to keep the right amount of pressure on each pedal, control the handlebars, and keep moving … so they can stay balanced. During this initial learning phase, the kid will keep their eyes down, looking at the pedals, the handlebars, and . . . the ground.

After some time of riding, though, managing the pedals and handlebars are embedded in “muscle memory,” allowing them to get their head up and focus on where they’re going rather than on the mechanical process of riding. After a lot of experience, bike riders can start doing wheelies, or jumps, or off-road riding that goes far beyond basic balance.
Network engineer—any kind of engineering, really—is the same way.

At first, you need to focus on what you are doing. How is this configured? What specific output am I looking for in this show command? What field do I need to use in this data structure to automate that? Where do I look to find out about these fields, defects, etc.?

The problem is—it is easy to get Continue reading

Controversial Reads 073022


This legislation dutifully provides trial lawyers with endless opportunities to sue Big Tech companies for something indefinable: childhood addiction to websites and phone apps. It puts the state government in charge of defining such addiction.


Recently Google employee Blake Lemoine caused a media storm over the LaMDA chatbot he was working on, that he claims is sentient (it feels things like a human being).


The problem with blockchain is that it’s not an improvement to any system—and often makes things worse.


We stand at a crossroads between a fragmented geopolitical world and a digital one that is more inclusive and sustainable. A common agenda with agreed priorities on public policy issues for the use of technology and connectivity will help take us in the right direction.


Earlier this month, I and others wrote a letter to Congress, basically saying that cryptocurrencies are an complete and total disaster, and urging them to regulate the space.


Of course, this bubble started to deflate when the Federal Reserve started talking about raising interest rates by half a percent. Terra Coin, a “stablecoin,” meaning a crypto that purports to maintain a value tied to an actual currency, collapsed in May.


At this point, they Continue reading

Weekend Reads 072922


Chris Siebenmann has written a short blog piece that reflects on the trend to see Certificate Transparency (CT) as the answer to ‘the problem’; the problem being how to tell if a validly signed and current certificate has somehow had to be repudiated.


For US$2,500, threat actors can employ Matanbuchus, a malware-as-a-service (MaaS) package found delivering Cobalt Strike beacons through phishing and spam messages.


As global and societal events such as supply chain shortages occur, there’s a corresponding increase in fraud related to fake domain registrations (websites) that capitalize on the event—creating unsafe situations for consumers.


Aside from recovery costs and business interruptions — the latter of which can cost as much as USD 22,000 per minute — the most damaging effect of such attacks can be reputational, specifically the loss of customers.


This week, it came to light that gaming platform Roblox was breached via a phishing/social-engineering attack that led to the theft of internal documents and the leaking of them online in an extortion attempt.


Researchers have discovered malware that has been secretly infecting systems featuring Asus and Gigabyte motherboards for at least six years.


The most important point is to understand that there are two very different Continue reading

Hedge 140: Aftab S and RIR Policies

Regional Internet Registries (RIRs) assign and manage numbered Internet resources like IPv4 address space, IPv6 address, and AS numbers. If you ever try to get address space or an AS number, though, it might seem like the policies the RIRs use to determine what kin and scale of resources you can get are a bit arbitrary (or even, perhaps, odd). Aftab Siddiqui joins Russ White and Tom Ammon to explain how and why these policies are set the way they are.

download

Weekend Reads 072222


The Chinese regime and other malign actors are trying to exert their influence over global technological standards, but the UK government’s response has been “incoherent and muted,” a committee of MPs has warned.


Researchers have discovered a new attack technique that exploits the speculative execution feature of modern CPUs to leak potentially sensitive information from the kernel’s memory.


The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.


Apple CEO Tim Cook has given his backing to a major effort to convince state governors, government, and educators to make computer science classes available to every student in every school. But it’s not just philanthropy in play.


Demand for smartphones is fading amid households’ fears about rising inflation and other monetary pressures, although brands including Samsung and Apple are weathering the economic storm.


In May 2022, 52% of business email compromise (BEC) scams impersonated third-party organizations, exposing businesses to supply chain attacks.


While computer Continue reading

Hedge 139: Open Source Supply Chain Security

There is a rising concern about the security of open source projects—particularly in terms of open source software supply chain. Alistair Woodman, who works closely with multiple open source software projects, joins Tom and Russ to discuss the reality of securing open source projects. The final answer? Essentially, buyer—or in the case of open source software, user—beware.

download

Weekend Reads 071522


After more than a decade when cryptocurrencies and related technologies have surged, boomed, and busted in a regulatory vacuum, lawmakers in both the US and Europe are writing new rules for a sector that has grown dangerously large in both value and reach,


With the emergence of privacy regulations that assign penalties based on a business’ profit, or those that calculate a value for each compromised record, it is possible to calculate the cost of a breach based on those metrics.


What is the most expensive component in the more generic, non-accelerated servers that comprise the majority of their server fleets? Main memory, correct again.


Cybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure.


After nearly two years of legal wrangling, the European Parliament on Tuesday passed the Digital Markets Act and the Digital Services Act, teeing up a showdown between the continent and US tech giants.


The new PCI DSS Standard, version 4.0, contains all the steps, best practices, and explanations required for full compliance. In fact, even an organization that does not process cardholder data could follow the Continue reading

Hedge 138: The Robustness Principle

Most network engineers take it as a “given” that the robustness principle is the “right way” to build protocols and networks—”be conservative in what you send, and liberal in what you receive.” The idea behind the robustness principle is that implementations should implement specifications as accurately as possible, but they should also accept malformed and otherwise erroneous data, process the best they can, and drop the bits they cannot process. This should allow the network to operate correctly in the face of defects and other failures. A recent draft, draft-iab-protocol-maintenance/, challenges the assumptions behind the robustness principle. Join Tom and Russ as they discuss the robustness principle and its potential problems.

download

Privacy for Providers

While this talk is titled privacy for providers, it really applies to just about every network operator. This is meant to open a conversation on the topic, rather than providing definitive answers. I start by looking at some of the kinds of information network operators work with, and whether this information can or should be considered “private.” In the second part of the talk, I work through some of the various ways network operators might want to consider when handling private information.

Weekend Reads 070822

We kick off this edition of the weekend reads with a few articles on security. Misconfigured cloud storage buckets and a failure to implement good password practices are, as always, a major source of security issues.


We found that only 15 websites were following best practices. The remaining 105 either leave users at risk for password compromise or frustrated from being unable to use a sufficiently strong password (or both).


A misconfigured Amazon S3 bucket resulted in 3TB of airport data (more than 1.5 million files) being publicly accessible, open, and without an authentication requirement for access, highlighting the dangers of unsecured cloud infrastructure within the travel sector.


An unlucky fat-fingering precipitated the current crisis: The client had accidentally deleted the private key needed to sign new firmware updates.

Another study showing the importance of DNS abuse in spreading malware.


In April, I participated in the panel session ‘Real Life Perspectives on Regional DNS Abuse in APAC’ at the APAC DNS Forum 2022, during which I and my fellow panellists shared examples of DNS incidents that we’ve seen in the Asia Pacific region and how we, as a community, can improve how we mitigate these threats.

Another reminder that Continue reading

Weekend Reads 070122


For decades, hopeful techies have been promising a world where absolutely every object you encounter—bandages, bottles, bananas—will have some kind of smarts thanks to supercheap programmable plastic processors.


To be clear, current artificial intelligence systems are decades away from being able to experience feelings and, in fact, may never do so.


The fact that LaMDA in particular has been the center of attention is, frankly, a little quaint. LaMDA is a dialogue agent. The purpose of dialogue agents is to convince you that you are talking with a person.


While it has always seemed absurd that this matter wasn’t addressed before the government extorted huge sums of money from operators for the right to do so, it’s also reasonable to assume the matter is not restricted to the US.


The number of tech layoffs in May alone skyrocketed 780% over the first four months of the year combined, according to outplacement services firm Challenger, Gray & Christmas.


Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy.


At the same time, I’ve also noticed what might be called a zero-trust backlash, as it becomes apparent that you can’t Continue reading

Hedge 136: The IPv6 ULA Mess

IPv6’s designers built the concept of Unique Local Addresses, or ULAs, into the addressing architecture to make network address translation unnecessary for IPv6 deployments. As with many other plans of mice and men, however, the unintended consequences of what is a good idea tend to get in the way. Nick Buraglio joing Eyvonne Sharp, Tom Ammon, and Russ White to discuss the many problems of IPv6 ULA, why it isn’t practical in most network deployments, and the larger question of how standards bodies sometimes fail to consider the unintended consequences of a good idea.

download

Controversial Reads 062522


Research by Citrix shows business leaders don’t entirely trust their employees when it comes to hybrid work.


The best result for big tech is if laws are absent or useless. The latest survey of big tech lobbying in the US reveals a flotilla of nearly 500 salespeople/lawyers touring the US state legislatures, trying to either draw up tech friendly legislation to insert into privacy bills, water then down through persuasion, or just keep them off the books.


Last month, the 11th Circuit Court of Appeals held that several parts of Florida’s social media law, S.B. 7072, were likely unconstitutional.


So when Facebook points out that Apple is using switching costs to take its users hostage, they know what they’re talking about.


Eliza became a phenomenon. Engineers got into Abbott and Costello–worthy accidental arguments with it when they thought they’d connected to a real co-worker.


Over the past few years, data brokers and federal military, intelligence, and law enforcement agencies have formed a vast, secretive partnership to surveil the movements of millions of people.


The positive and negative real-world impacts of blockchain applications both direct and indirect are critical. Whether this increasingly institutionalized sector will spark a real revolution or Continue reading

Weekend Reads 062422


The Iranian state-sponsored threat actor tracked under the moniker Lyceum has turned to using a new custom .NET-based backdoor in recent campaigns directed against the Middle East.


A service level agreement (SLA) is a contract between a cloud provider and a user. The SLA describes the provider’s minimum level of service, specified by performance metrics, and the compensation due to the user should the provider fail to deliver this service.


Grooming techniques used in various frauds are getting more common and more elaborate. Fraudsters are coming up with narratives that involve complicated lies and may have different stages, depending on the type of fraud.


For years, the two most popular methods for internal scanning: agent-based and network-based were considered to be about equal in value, each bringing its own strengths to bear.


Introduced last fall, GDC enables customers to deploy managed servers and software in private datacenters and at communication service provider or on the edge.


In recent years, the price per address for small blocks (/17 and smaller) has been greater than the price per address of large blocks (/16 and larger).


Domain Name System (DNS) abuse is one of the most important ongoing discussions in the community. Many Continue reading

Hedge 135: Simon Sharwood, China, and IPv6

Over the last several years various Chinese actors (telecom operators and vendors) have been pushing for modifications to IPv6 to support real-time applications and other use cases. Simon Sharwood wrote an article over at the Register on their efforts and goals. While this effort began with big IP, moved into new IP, and has been called many other names. These efforts are being put forward in various venues like the IETF, the ITU, etc. Simon Sharwood, who writes for the Register, joins Tom Ammon and Russ White to discuss these efforts.

Here is a recent article where Simon is discussing these issues.

download

IEEE Conference on Network Softwarization

I’m moderating a panel at the upcoming IEEE Conference on Network Softwarization. This is one of the various “good sources” out there for understanding what might be coming in the future for computer networks. The conference is hybrid, so you can register and watch the sessions live from the comfort of your home (or office).

I’m moderating the distinguished experts panel on the afternoon of the 30th.

Please register here.

How the Internet Really Works

Gentle reminder that I’m teaching a three-hour webinar on Safari Books this coming Friday on Internet operations. The course is roughly divided into three parts.

The first part covers DNS operations, including a high-level overview of how DNS works and some thoughts on how DNS providers “work” financially. The second part is a high-level overview of packet transport, focusing on routing, the different kinds of providers, and how each of of the different kinds of providers “work” financially. The third part is a collection of other odds and ends.

You can register here.

Anyone who registers is able to watch a recorded version of the training afterwords.

I’m teaching part 2 next month, which I call Navigating the DFZ.

1 13 14 15 16 17 162