Weekend Reads 092421

Microsoft on Tuesday addressed a quartet of security flaws as part of its Patch Tuesday updates that could be abused by adversaries to target Azure cloud customers and elevate privileges as well as allow for remote takeover of vulnerable systems.

To meet current demands, as well as those of the next normal and an unpredictable future, retailers are now adopting software-driven strategies to deliver connected retail experiences and operations, ultimately resulting in the software-defined store.

Network measurement techniques have been mostly developed independently from protocols and, therefore, typically build upon externally visible semantics. One example of this is TCP sequence numbers and acknowledgements, which can be used to derive a flow’s round-trip time (RTT).

Ordinarily, when developing something, you start with a set of requirements or goals. But DNSSEC was a research project, so in place of requirements, developers set expectations of what needed to be done and what could be done to solve the DNS security problem.

Open-source M1-style chips may be in our future, according to a reverse-engineering document released online, Tom’s Hardware reports.

But how can they know that the plan they have is efficient enough to alleviate future cyber incidents? By using a cyber crisis tabletop Continue reading

Hedge 101: In Situ OAM

Understanding the flow of a packet is difficult in modern networks, particularly data center fabrics with their wide fanout and high ECMP counts. At the same time, solving this problem is becoming increasingly important as quality of experience becomes the dominant measure of the network. A number of vendor-specific solutions are being developed to solve this problem. In this episode of the Hedge, Frank Brockners and Shwetha Bhandari join Alvaro Retana and Russ White to discuss the in-situ OAM work currently in progress in the IPPM WG of the IETF.

download

Thoughts on the Collapsed Spine

One of the designs I’ve been encountering a lot of recently is a “collapsed spine” data center network, as shown in the illustration below.

In this design, and B are spine routers, while C-F are top of rack switches. The terminology is important here, because C-F are just switches—they don’t route packets. When G sends a packet to H, the packet is switched by C to A, which then routes the packet towards F, which then switches the packet towards H. C and F do not perform an IP lookup, just a MAC address lookup. A and B are responsible for setting the correct next hop MAC address to forward packets through F to H.
What are the positive aspects of this design? Primarily that all processing is handled on the two spine routers—the top of rack switches don’t need to keep any sort of routing table, nor do any IP lookups. This means you can use very inexpensive devices for your ToR. In brownfield deployments, so long as the existing ToR devices can switch based on MAC addresses, existing hardware can be used.

This design also centralizes almost all aspects of network configuration and management on the spine routers. Continue reading

Weekend Reads 091721

Relationships also evolved during this uprooting of typical routines. Pandemic “pods” helped some Americans maintain connection, but they complicated relationships and family dynamics at the same time.

Attackers are actively exploiting a Microsoft remote code execution vulnerability using malicious Office files, the tech giant has warned.

“When you have a high percentage of all AI activity in Bay Area metros, you may be overconcentrating, losing diversity, and getting groupthink in the algorithmic economy. It locks in a winner-take-most dimension to this sector, and that’s where we hope that federal policy will begin to invest in new and different AI clusters in new and different places to provide a balance or counter.”

Email isn’t just a communication tool; it’s also an identifier and a security measure. Companies use it to create profiles of you when you start accounts with them and it often doubles as your username.

However, it looks like most phishing emails could be used to obtain user credentials according to the 2021 Annual State of Phishing Report by Cofense. After analyzing millions of emails, Cofense found that 57% are credential phishing emails.

Computer programmers are a pretty predictable bunch. Every time they approach legacy code, the gut Continue reading

Hedge 100: Supply Chain Diversity with Brooks Westbrook and Mike Bushong

Most network engineers don’t spend a lot of time thinking about their supply chain—you must call your favorite vendor, order, and a few weeks later the hardware shows up on your loading dock. It’s not so simple any more. If you disaggregate, you need to manage your software and hardware supply chains separately. You need to think about security in your supply chain—is that software package backdoored? Moving to the cloud might seem to solve these problems, but they don’t. Even virtual networks have physical limits.

Listen in as Mike Bushong, Brooks Westbrook, Eyvonne Sharp, Tom Ammon, and Russ White discuss supply chain diversity and security.

download

Russ’ Rules of Network Design

We have the twelve truths of networking, and possibly Akin’s Laws, but is there a set of rules for network design? I couldn’t find one, so I decided to create one, containing 18 laws I’ve listed below.

Russ’ Rules of Network Design

1. If you haven’t found the tradeoffs, you haven’t looked hard enough.
2. Design is an iterative process. You probably need one more iteration than you’ve done to get it right.
3. A design isn’t finished when everything needed is added, it’s finished when everything possible is taken away.
4. Good design isn’t making it work, it’s making it fail gracefully.
5. Effective, elegant, efficient. All other orders are incorrect.
6. Don’t fix blame; fix problems.
7. Local and global optimization are mutually exclusive.
8. Reducing state always reduces optimization someplace.
9. Reducing state always creates interaction surfaces; shallow and narrow interaction surfaces are better than deep and broad ones.
10. The easiest place to improve or screw up a design is at the interaction surfaces.
11. The optimum is almost always in the middle someplace; eschew extremes.
12. Sometimes its just better to start over.
13. There are a handful of right solutions; there is an infinite array of wrong ones.
14. You are not immensely smarter than anyone else in Continue reading

Troubleshooting Webinar this Friday

I’m teaching my troubleshooting webinar this Friday. I’ve revamped the slides entirely, so this will likely be a big change for anyone who’s attended previous versions of this. Three hours, 109 slides, and interaction through the chat window … all to develop some really good skills in how to troubleshoot. For those who are curious, I was taught formal troubleshooting skills in my early life in electronics, learning my lessons on ILS, RADAR, and radio systems of various kinds. This webinar is my adaptation of those skills for network engineers.

You can register here.

Weekend Reads 091021

At some point, don’t be surprised if IBM ends up acquiring Nutanix. But not now, with Nutanix having a nearly $8 billion market capitalization and possibly commanding a $10 billion acquisition cost.

Some of the most successful and lucrative online scams employ a “low-and-slow” approach — avoiding detection or interference from researchers and law enforcement agencies by stealing small bits of cash from many people over an extended period.

If you were hit by ransomware, you are part of the rapidly growing number of organizations that have had to decide how to respond — legally, quickly and often quietly.

As the pandemic unfolded in spring 2020, many Americans saw their lives swiftly reshaped by stay-at-home orders, school closures and the onset of remote work.

With increased demands placed on home internet connections and the nation’s internet infrastructure during the pandemic, the quality and affordability of home internet connections became a focus for users on several fronts.

The graphics card inside your computer is a powerful tool for gaming and creative work, but it can also potentially serve as a Trojan horse for malware.

Decentralized solutions, in our case, which come with the ambitious promise of providing everything their centralized counterpart Continue reading

Hedge 99

Two things have been top of mind for those who watch the ‘net and global Internet policy—the increasing number of widespread outages, and the logical and physical centralization of the ‘net. How do these things relate to one another? Alban Kwan joins us to discuss the relationship between centralization and widespread outages. You can read Alban’s article on the topic here.

download

Weekend Reads 090321

In our professional practice, we are often called to perform rapid, approximate calculations without a calculator. Any available scrap of paper such as an envelope will do to scribble on.

The wireless carrier initially confirmed 47.8 million former, prospective and existing customers were impacted, but found the data of an additional 5.3 million customers was compromised.

A recent measurement study suggests that BBR is already being deployed by 22% of the Alexa Top 20k websites on the Internet.

Zero trust improves the security of IT environments as demonstrated over time by reduced attacker dwell time. The challenge many people face is understanding where to begin.

In recent months, we’ve been sharing information collected by APNIC honeypots with our community at several conferences, seminars, and workshops. ‘Information’ here basically means observations from the logs/traffic, as well as artefacts collected (such as scripts and binaries).

The Internet plays a crucial role in our increasingly digital daily lives. But who shapes and governs the patchwork that enables this essential utility? And how do their actions bear on the rights and interests of users all over the world?

We are facing the same paradox with respect to privacy and influence on the Continue reading

Hedge 098: DRIP with Stuart Card

Drones are becoming—and in many cases have already become—an everyday part of our lives. Drones are used in warfare, delivery services, photography, and recreation. One of the problems facing the world of drones, however, is the strong tie-in between the controller and the drone; this proprietary link limits innovation and reduces the information available to public officials to manage traffic, and even to protect the privacy of drone operators. The DRIP working group is building protocols designed to standardize the drone-to-controller interface, advancing the state of the art in drones and opening up the field for innovation. Stuart Card joins Alvaro Retana and Russ White to discuss DRIP.

download

Marketing Wins

Off-topic post for today …

In the battle between marketing and security, marketing always wins. This topic came to mind after reading an article on using email aliases to control your email—

For example, if you sign up for a lot of email newsletters, consider doing so with an alias. That way, you can quickly filter the incoming messages sent to that alias—these are probably low-priority, so you can have your provider automatically apply specific labels, mark them as read, or delete them immediately.

One of the most basic things you can do to increase your security against phishing attacks is to have two email addresses, one you give to financial institutions and another one you give to “everyone else.” It would be nice to have a third for newsletters and marketing, but this won’t work in the real world. Why?

Because it’s very rare to find a company that will keep two email addresses on file for you, one for “business” and another for “marketing.” To give specific examples—my mortgage company sends me both marketing messages in the form of a “newsletter” as well as information about mortgage activity. They only keep one email address on file, Continue reading

Worth Listening: Heidi Roizen

Project AI+Compassion just interviewed Heidi Roizen about compassion in IT; it’s worth listening to. From the show notes—

Storytelling is a powerful way for humans to connect and for humans to move other humans to action. To understand your story and understand the stories of others, we can develop a lot more compassion for people when we understand that everybody has a story. Everybody story is important. So, don’t dismiss other people’s stories. Take the time to get to know everyone has a story.

Weekend Reads 082721

Since the start of the pandemic, Huang has delivered keynotes from his kitchen. GTC 2021 still featured a kitchen keynote, but a section featured a virtual kitchen made entirely in Omniverse. Even more impressive, the Nvidia team managed to create a CG model of Huang that delivered part of the keynote.

The U.S. is presently combating two pandemics–coronavirus and ransomware attacks. Both have partially shut down parts of the economy. However, in the case of cybersecurity, lax security measures allow hackers to have an easy way to rake in millions.

Microsoft has disclosed details of an evasive year-long social engineering campaign wherein the operators kept changing their obfuscation and encryption mechanisms every 37 days on average, including relying on Morse code, in an attempt to cover their tracks and surreptitiously harvest user credentials.

We at PowerDNS have been getting questions about ‘DNS server cache snooping remote information disclosure’ attacks lately, mostly coming from reports generated by one very popular security scanner:

Researchers have long debated whether it would be worth the effort for scammers to train machine learning algorithms that could then generate compelling phishing messages.

IBM’s Cost of a Data Breach Report 2021 analyzed 537 real breaches and Continue reading

Hedge 97: Low Context DevOps

Language is deeply contextual—one of my favorite sayings from the theological world is if you take the text out of its context, you are just left with the con. What does context have to do with development and operations, though? Can there be low and high context situations in the daily life of building and running systems? Thomas Limoncelli joins Tom Ammon and Russ White to discuss the idea of low context devops, and the larger issue of context in managing projects and teams, on this episode of the Hedge.

download

It always takes longer than you think

Everyone is aware that it always takes longer to find a problem in a network than it should. Moving through the troubleshooting process often feels like swimming in molasses—you’re pulling hard, and progress is being made, but never fast enough or far enough to get the application back up and running before that crucial deadline. The “swimming in molasses effect” doesn’t end when the problem is found out, either—repairing the problem requires juggling a thousand variables, most of which are unknown, combined with the wit and sagacity of a soothsayer to work with vendors, code releases, and unintended consequences.

It’s enough to make a network engineer want to find a mountain top and assume an all-knowing pose—even if they don’t know anything at all.
The problem of taking longer, though, applies in every area of computer networking. It takes too long for the packet to get there, it takes to long for the routing protocol to converge, it takes too long to support a new application or server. It takes so long to create and validate a network design change that the hardware, software and processes created are obsolete before they are used.

Why does it always take too long? Continue reading

Weekend Reads 082021

Cross Site Scripting is the second most prevalent issue in the Open Source Foundation for Application Security (OWASP) top 10 – it’s found in roughly 2/3 of all applications.

Unidentified threat actors are actively exploiting a critical authentication bypass vulnerability to hijack home routers as part of an effort to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure.

Big O notation is an important tools for computer scientists to analyze the cost of an algorithm. Most software engineers should have an understanding of it.

Cybersecurity researchers have disclosed a new class of vulnerabilities impacting major DNS-as-a-Service (DNSaaS) providers that could allow attackers to exfiltrate sensitive information from corporate networks.

In his keynote, Tait, former information security specialist for the UK’s GCHQ and more recently a member of Google’s Project Zero team, outlined what he considers the three main factors that drove high-profile cyberattacks on Colonial Pipeline, Kaseya, Exchange Server, SolarWinds, and Codecov, as well as North Korea’s targeting of security researchers and the NSO Pegasus Project iOS hacks.

The two researchers reported the issues to Apple and many of them have been fixed. However, the security weaknesses are not Continue reading

Hedge 96: Mark Nottingham and the Future of Standardization

It often seems like the IETF is losing steam—building standards, particularly as large cloud-scale companies a reducing their participation in standards bodies and deploying whatever works for them. Given these changes, what is the future of standards bodies like the IETF? Mark Nottingham joins Tom Ammon and Russ White in a broad-ranging discussion around this topic.

download

The Centralization of the Internet

My article on Internet centralization just published over at The Public Discourse—

Most of the Internet’s traffic now flows through the networks of a few large companies rather than a multitude of small transit providers, and the Internet’s physical infrastructure is being reshaped to meet this new reality. But relying on a few providers to host all the content on the Internet makes it possible for just a few companies to shut down entire services or control speech.

Controversial Reads 081421

However, in the last 5-10 years it has felt that technology is actually running the other way. We aren’t getting more productive with our technology — we’re getting less productive. Even as technology grows, it is not providing significant gains, and in fact is giving us problems.

Here’s a paper worth revisiting, “On the Dangers of Stochastic Parrots: Can Language Models Be Too Big?” (March 3, 2021), if only for the principal author’s trouble associated with publishing it.

Silicon Valley was created in the Second World War to help the U.S. Army win the war. The government funded companies such as Fairchild Semiconductor.

How many messaging services do you use? Slack, Discord, WhatsApp, Apple iMessage, Signal, Facebook Messenger, Microsoft Teams, Instagram, TikTok, Google Hangouts, Twitter Direct Messages, Skype?

There’s uncertainty among executives and managers who must ensure that individual and team productivity remains high, customer demands are met, and employees are engaged. How can they meet these requirements when their workers aren’t corralled in offices?

Why should you care about data brokers? Reporting this week about a Substack publication outing a priest with location data from Grindr shows once again how easy it is for anyone to take Continue reading