Russ

Author Archives: Russ

Weekend Reads 072222


The Chinese regime and other malign actors are trying to exert their influence over global technological standards, but the UK government’s response has been “incoherent and muted,” a committee of MPs has warned.


Researchers have discovered a new attack technique that exploits the speculative execution feature of modern CPUs to leak potentially sensitive information from the kernel’s memory.


The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.


Apple CEO Tim Cook has given his backing to a major effort to convince state governors, government, and educators to make computer science classes available to every student in every school. But it’s not just philanthropy in play.


Demand for smartphones is fading amid households’ fears about rising inflation and other monetary pressures, although brands including Samsung and Apple are weathering the economic storm.


In May 2022, 52% of business email compromise (BEC) scams impersonated third-party organizations, exposing businesses to supply chain attacks.


While computer Continue reading

Hedge 139: Open Source Supply Chain Security

There is a rising concern about the security of open source projects—particularly in terms of open source software supply chain. Alistair Woodman, who works closely with multiple open source software projects, joins Tom and Russ to discuss the reality of securing open source projects. The final answer? Essentially, buyer—or in the case of open source software, user—beware.

download

Weekend Reads 071522


After more than a decade when cryptocurrencies and related technologies have surged, boomed, and busted in a regulatory vacuum, lawmakers in both the US and Europe are writing new rules for a sector that has grown dangerously large in both value and reach,


With the emergence of privacy regulations that assign penalties based on a business’ profit, or those that calculate a value for each compromised record, it is possible to calculate the cost of a breach based on those metrics.


What is the most expensive component in the more generic, non-accelerated servers that comprise the majority of their server fleets? Main memory, correct again.


Cybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure.


After nearly two years of legal wrangling, the European Parliament on Tuesday passed the Digital Markets Act and the Digital Services Act, teeing up a showdown between the continent and US tech giants.


The new PCI DSS Standard, version 4.0, contains all the steps, best practices, and explanations required for full compliance. In fact, even an organization that does not process cardholder data could follow the Continue reading

Hedge 138: The Robustness Principle

Most network engineers take it as a “given” that the robustness principle is the “right way” to build protocols and networks—”be conservative in what you send, and liberal in what you receive.” The idea behind the robustness principle is that implementations should implement specifications as accurately as possible, but they should also accept malformed and otherwise erroneous data, process the best they can, and drop the bits they cannot process. This should allow the network to operate correctly in the face of defects and other failures. A recent draft, draft-iab-protocol-maintenance/, challenges the assumptions behind the robustness principle. Join Tom and Russ as they discuss the robustness principle and its potential problems.

download

Privacy for Providers

While this talk is titled privacy for providers, it really applies to just about every network operator. This is meant to open a conversation on the topic, rather than providing definitive answers. I start by looking at some of the kinds of information network operators work with, and whether this information can or should be considered “private.” In the second part of the talk, I work through some of the various ways network operators might want to consider when handling private information.

Weekend Reads 070822

We kick off this edition of the weekend reads with a few articles on security. Misconfigured cloud storage buckets and a failure to implement good password practices are, as always, a major source of security issues.


We found that only 15 websites were following best practices. The remaining 105 either leave users at risk for password compromise or frustrated from being unable to use a sufficiently strong password (or both).


A misconfigured Amazon S3 bucket resulted in 3TB of airport data (more than 1.5 million files) being publicly accessible, open, and without an authentication requirement for access, highlighting the dangers of unsecured cloud infrastructure within the travel sector.


An unlucky fat-fingering precipitated the current crisis: The client had accidentally deleted the private key needed to sign new firmware updates.

Another study showing the importance of DNS abuse in spreading malware.


In April, I participated in the panel session ‘Real Life Perspectives on Regional DNS Abuse in APAC’ at the APAC DNS Forum 2022, during which I and my fellow panellists shared examples of DNS incidents that we’ve seen in the Asia Pacific region and how we, as a community, can improve how we mitigate these threats.

Another reminder that Continue reading

Weekend Reads 070122


For decades, hopeful techies have been promising a world where absolutely every object you encounter—bandages, bottles, bananas—will have some kind of smarts thanks to supercheap programmable plastic processors.


To be clear, current artificial intelligence systems are decades away from being able to experience feelings and, in fact, may never do so.


The fact that LaMDA in particular has been the center of attention is, frankly, a little quaint. LaMDA is a dialogue agent. The purpose of dialogue agents is to convince you that you are talking with a person.


While it has always seemed absurd that this matter wasn’t addressed before the government extorted huge sums of money from operators for the right to do so, it’s also reasonable to assume the matter is not restricted to the US.


The number of tech layoffs in May alone skyrocketed 780% over the first four months of the year combined, according to outplacement services firm Challenger, Gray & Christmas.


Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy.


At the same time, I’ve also noticed what might be called a zero-trust backlash, as it becomes apparent that you can’t Continue reading

Hedge 136: The IPv6 ULA Mess

IPv6’s designers built the concept of Unique Local Addresses, or ULAs, into the addressing architecture to make network address translation unnecessary for IPv6 deployments. As with many other plans of mice and men, however, the unintended consequences of what is a good idea tend to get in the way. Nick Buraglio joing Eyvonne Sharp, Tom Ammon, and Russ White to discuss the many problems of IPv6 ULA, why it isn’t practical in most network deployments, and the larger question of how standards bodies sometimes fail to consider the unintended consequences of a good idea.

download

Controversial Reads 062522


Research by Citrix shows business leaders don’t entirely trust their employees when it comes to hybrid work.


The best result for big tech is if laws are absent or useless. The latest survey of big tech lobbying in the US reveals a flotilla of nearly 500 salespeople/lawyers touring the US state legislatures, trying to either draw up tech friendly legislation to insert into privacy bills, water then down through persuasion, or just keep them off the books.


Last month, the 11th Circuit Court of Appeals held that several parts of Florida’s social media law, S.B. 7072, were likely unconstitutional.


So when Facebook points out that Apple is using switching costs to take its users hostage, they know what they’re talking about.


Eliza became a phenomenon. Engineers got into Abbott and Costello–worthy accidental arguments with it when they thought they’d connected to a real co-worker.


Over the past few years, data brokers and federal military, intelligence, and law enforcement agencies have formed a vast, secretive partnership to surveil the movements of millions of people.


The positive and negative real-world impacts of blockchain applications both direct and indirect are critical. Whether this increasingly institutionalized sector will spark a real revolution or Continue reading

Weekend Reads 062422


The Iranian state-sponsored threat actor tracked under the moniker Lyceum has turned to using a new custom .NET-based backdoor in recent campaigns directed against the Middle East.


A service level agreement (SLA) is a contract between a cloud provider and a user. The SLA describes the provider’s minimum level of service, specified by performance metrics, and the compensation due to the user should the provider fail to deliver this service.


Grooming techniques used in various frauds are getting more common and more elaborate. Fraudsters are coming up with narratives that involve complicated lies and may have different stages, depending on the type of fraud.


For years, the two most popular methods for internal scanning: agent-based and network-based were considered to be about equal in value, each bringing its own strengths to bear.


Introduced last fall, GDC enables customers to deploy managed servers and software in private datacenters and at communication service provider or on the edge.


In recent years, the price per address for small blocks (/17 and smaller) has been greater than the price per address of large blocks (/16 and larger).


Domain Name System (DNS) abuse is one of the most important ongoing discussions in the community. Many Continue reading

Hedge 135: Simon Sharwood, China, and IPv6

Over the last several years various Chinese actors (telecom operators and vendors) have been pushing for modifications to IPv6 to support real-time applications and other use cases. Simon Sharwood wrote an article over at the Register on their efforts and goals. While this effort began with big IP, moved into new IP, and has been called many other names. These efforts are being put forward in various venues like the IETF, the ITU, etc. Simon Sharwood, who writes for the Register, joins Tom Ammon and Russ White to discuss these efforts.

Here is a recent article where Simon is discussing these issues.

download

IEEE Conference on Network Softwarization

I’m moderating a panel at the upcoming IEEE Conference on Network Softwarization. This is one of the various “good sources” out there for understanding what might be coming in the future for computer networks. The conference is hybrid, so you can register and watch the sessions live from the comfort of your home (or office).

I’m moderating the distinguished experts panel on the afternoon of the 30th.

Please register here.

How the Internet Really Works

Gentle reminder that I’m teaching a three-hour webinar on Safari Books this coming Friday on Internet operations. The course is roughly divided into three parts.

The first part covers DNS operations, including a high-level overview of how DNS works and some thoughts on how DNS providers “work” financially. The second part is a high-level overview of packet transport, focusing on routing, the different kinds of providers, and how each of of the different kinds of providers “work” financially. The third part is a collection of other odds and ends.

You can register here.

Anyone who registers is able to watch a recorded version of the training afterwords.

I’m teaching part 2 next month, which I call Navigating the DFZ.

Weekend Reads 061622


Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.


But both the tools used and the threat posed by common cybercriminals pale in comparison to the tools used by more professional groups such as the famous hacking groups and state-sponsored groups.


A European team of university students has cobbled together the first RISC-V supercomputer capable of showing balanced power consumption and performance.


During the last decade, various individuals and organizations have contributed to promoting and deploying IPv6, which recently passed 40% adoption globally.


A successful attack against 5G networks could disrupt critical infrastructure, manipulate sensor data, or even cause physical harm to humans.


An Avengers-style mash up of telecoms firms are collaborating on experimental trials of new communications technologies expected to be underpinned by 6G.


Personally, in my more than 20 years of internet governance experience, tackling DNS abuse is one of the more important issues I’ve participated in and seen debated.


Infrastructure operators are struggling to reduce the rate of IT outages Continue reading

Hedge 134: Ten Things

One of the many reasons engineers should work for a vendor, consulting company, or someone other than a single network operator at some point in their career is to develop a larger view of network operations. What are common ways of doing things? What are uncommon ways? In what ways is every network broken? Over time, if you see enough networks, you start seeing common themes and ideas. Just like history, networks might not always be the same, but the problems we all encounter often rhyme. Ken Calenza joins Tom Ammon, Eyvonne Sharp, and Russ White to discuss these common traits—ten things I know about your network.

download

On Building a Personal Brand

How do you balance loyalty to yourself and loyalty to the company you work for?

This might seem like an odd question, but it’s an important component of work/life balance many of us just don’t think about any longer because, as Pete Davis says in Dedicated, we live in a world of infinite browsing. We’re afraid of sticking to one thing because it might reduce our future options. If we dedicate ourselves to something bigger than ourselves, then we might lose control of our direction. In particular, we should not dedicate ourselves to any single company, especially for too long. As a recent (excellent!) blog post over at the ACM says:

Loyalty is generally a good trait, but extreme loyalty to the organization or mission may cause you to stay in the same job for too long.

The idea that we should control our own destiny, never getting lost in anything larger than ourselves, is ubitiquos like water is to a fish. We don’t question it. We don’t argue. It is just true. We assume there are three people who are going to look after “me:” me, myself, and I.

I get it. Honestly, I do. I’ve been there Continue reading

Controversial Reads 061122


In the hands of police and other government agencies, face recognition technology presents an inherent threat to our privacy, free expression, information security, and social justice.


From social credit scores and online censorship to electronic billboards that display a citizen’s “violations” like jaywalking, surveillance is a part of everyday life for millions of Chinese people.


But there’s a much bigger threat to democracy coming out of Silicon Valley and it’s this: America’s largest financial and tech increasingly act as independent countries, routinely exporting jobs, money and technology to our most significant global adversary.


It’s difficult to overstate how dramatic this shift is, both in substance and in tone. Overpaying, and even coddling, talented engineers has, for years, been seen as a point of pride among tech’s leadership class.


Excessive centralization can stymie coordination and erode freedom, democracy, and economic dynamism—decentralization is supposed to be the remedy. But the term on its own is too vague to be a coherent end goal.


In early March, weeks after senators advanced a sweeping bill to expand competition in the tech industry, a regional newspaper more than 2,000 miles from Silicon Valley ran a defensive op-ed.


Raskin didn’t foresee how tech giants would exploit Continue reading

Weekend Reads 061022


Alongside the announcement of Ryzen 7000 processors, AMD revealed a new technology coming to the platform: Smart Access Storage.


The web of global intermediary liability laws has grown increasingly vast and complex as policymakers around the world move to adopt stricter legal frameworks for platform regulation.


Like other kinds of computing, if you put garbage data into a machine learning training run and then pour new data through it, what comes out as the answer is puréed garbage.


A critical code execution zero-day in all supported versions of Windows has been under active exploit for seven weeks, giving attackers a reliable means for installing malware without triggering Windows Defender and a roster of other endpoint protection products.


Although cyber conflict has existed for thirty years, the strategic utility of cyber operations remains unclear.


By expanding the breadth of device-to-application solutions with IPv6, LoRaWAN’s addressable IoT market is also broadened to include internet-based standards required in smart electricity metering and new applications in smart buildings, industries, logistics, and homes.


Earlier this year, the LockBit group posted a table listing encryption speeds for more than 30 ransomware families, highlighting the fact that LockBit 2.0 was the fastest.


In this post, I’ll Continue reading

1 13 14 15 16 17 162