Worth Reading: I can’t stop wasting time

There are so many distractions when you are a freelancer. From kids coming into your home office or time sucks like Facebook, you need to focus and be more efficient. The key is arming yourself with the right tools for the job. —Carrie Cousins @WebDesignerDepot

Worth Reading: Creating a Role for Standards

I think it’s obvious that traditional standards processes are simply not effective in the current age. They take way too long and they end up defining an architecture that has to be ignored if the end product is to be useful. —Tom Nolle @CIMI

Research: Even Password Complexity is a Tradeoff

Stronger passwords are always better—at least this is the working theory of most folks in information technology, security or otherwise. Such blanket rules should raise your suspicions, however; the rule11 maxim if you haven’t found the tradeoff, you haven’t looked hard enough should apply to passwords, too.

Dinei Florêncio, Cormac Herley, and Paul C. Van Oorschot. 2016. Pushing on string: the ‘don’t care’ region of password strength. Commun. ACM 59, 11 (October 2016), 66-74. DOI: https://doi.org/10.1145/2934663

Begin with this simple assertion: complex passwords are primarily a guard against password guessing attacks. Further, while the loss of a single account can be tragic for the individual user (and in some systems, the loss of a single password can have massive consequences!), for the system operator, it is the overall health of the system that matters. There is, in any system, a point at which enough accounts have been compromised that the system itself can no longer secure any information. This not only means the system can no longer hide information, it also means transactions within the system can no longer be trusted.

The number of compromised accounts varies based on the kind of system in view; effectively breaching Continue reading

Worth Reading: Microsoft’s Container Strategy Continues to Evolve

Although Microsoft is still a giant in the enterprise IT space, as almost every company of any size is running Windows servers and its related systems software stack, the company is well aware of which way the wind is blowing: corporate workloads are slowly but surely drifting to the cloud, and Linux is the only growing operating system. —Daniel Robinson @The Next Platform

Weekend Reads: 071918

In this post, we present ARTEMIS (Automatic and Real-Time dEtection and MItigation System), a defence system that can be used by operators to protect their own network from BGP prefix hijacking events. Using real experiments, we’ve shown that ARTEMIS can detect prefix hijacking events within seconds and neutralize them within a minute; orders of magnitude faster than with current practices. —Vasileios Kotronis @APNIC

You could sum up the security advantages of serverless this way: What containers did for ensuring the operating system and hardware layer could be maintained and secured separately, serverless offers the same at the application and web server layer. And yet — serverless is no silver bullet from a security perspective. Serverless environments still need to be designed and managed with security in mind at every moment. —Vince Power @The New Stack

Another lesson is that privacy defenses don’t need to be perfect. Many researchers and engineers think about privacy in all-or-nothing terms: a single mistake can be devastating, and if a defense won’t be perfect, we shouldn’t deploy it at all. That might make sense for some applications such as the Tor browser, but for everyday users of mainstream browsers, the threat model is death by Continue reading

Columns

Worth Reading: Your IoT Security Fears are Stupid

Lots of government people are focused on IoT security, such as this bill or this recent effort. They are usually wrong. It’s a typical cybersecurity policy effort which knows the answer without paying attention to the question. Government efforts focus on vulns and patching, ignoring more important issues. @Errata Security

Site Reliability Engineering at the Network Collective

The Site Reliability Engineer (SRE) role often seems a bit mysterious to folks working at smaller and mid-sized companies, where the team isn’t large enough to separate into SRE, operations, and other teams. What does and SRE do, and how is it different from what the average network engineer does? In this Network Collective Off the Cuff, we sit with Michael Kehoe of LinkedIn to discuss the role of the SRE.

Worth Reading: WPA3

Wi-Fi devices have been using the same security protocol for over a decade. But today, that’ll begin to change: the Wi-Fi Alliance, which oversees adoption of the Wi-Fi standard, is beginning to certify products that support WPA3… —Jacob Kastrenakes @The Verge

Worth Reading: The IPv4 Market

On September 24, 2015, the free supply of IPv4 numbers in North America dwindled to zero. Despite fears to the contrary, IPv4 network operators have been able to support and extend their IP networks by purchasing the IPv4 address space they need from organizations with excess unused supply through the IPv4 market. —Marc Lindsey @CircleID

Complexity Sells

Networks are complex. But why? There are two fundamental reasons. The first is complexity is required to solve hard problems, specifically in the area of resilience. The second is that complexity sells. In this short take, I look at the second reason in a little more depth.

Worth Reading: The End of the API Economy

Companies that rely upon third-party public APIs (for example, those from Facebook, Twitter, and other API providers) to do business have always been at risk. This is nothing new. —Bob Reselman @Programmableweb

Worth Reading: Living in the Moment

We spend most of our lives not truly living at all but shoring up goods for some time in the future when we can enjoy them—which never comes. —Michael De Sapio @Intellectual Takeout

Thoughts on Impostor Syndrome

How many times, on reading my blog, a book, or watching some video of mine over these many years (the first article I remember writing that was publicly available, many years ago, was the EIGRP white paper on Cisco Online, somewhere in 1997), have you thought—here is an engineer who has it all together, who knows technology in depth and breadth, and who symbolizes everything I think an engineer should be? And yet, how many times have you faced that feeling of self-doubt we call impostor synddome?

I am going to let you in on a little secret. I’m an impostor, too. After all these years, I still feel like I am going to be speaking in front of a crowd, explaining something at a meeting, I am going to hit publish on something, and the entire world is going to “see through the charade,” and realize I’m not all that good of an engineer. That I am an ordinary person, just doing ordinary things.

While I often think about these things, what has led me down the path of thinking about them this week is some reading I’ve been doing for a PhD seminar about human nature, work Continue reading

Worth Reading: Source Address Dependent Routing

Having multiple connections to the Internet, or being multihomed, is often a must to avoid a single point of failure. But, it is not as simple as getting two connections to the Internet — most Internet Service Providers (ISP) apply anti-spoofing so all packets sent on one ISP uplink must use a source address from this ISP. —Eric Vyncke @APNIC

Worth Reading: Is Everyone Missing the SD-WAN Boat?

What’s in a name? Too much, in many cases, because we tend to use a single very popular name (one with good media visibility) to cover a product space that may have little in the way of uniform features or even missions. We clearly have that problem with SD-WAN. —Tom Nolle @CIMI

On the ‘net: The Tradeoffs of Information Hiding

I recently joined Ethan Banks for a Packet Pushers episode around the trade offs of hiding information in the control plane. This was a terrific show; you can listen to it by clicking on the link below.

Today on the Priority Queue, we’re gonna hide some information. Oh, like route summarization? Sure, like route summarization. That’s an example of information hiding. But there’s much more to the story than that. Our guest is Russ White. Russ is a serial networking book author, network architect, RFC writer, patent holder, technical instructor, and much of the motive force behind the early iterations of the CCDE program.

Worth Reading: Shutting down a BGP Hijack Factory

It started with a lengthy email to the NANOG mailing list on 25 June 2018: independent security researcher Ronald Guilmette detailed the suspicious routing activities of a company called Bitcanal, whom he referred to as a “Hijack Factory.” —Doug Madory @Dyn

Weekend Reads 071318: Nice to Haves

I had about four hours of highway driving yesterday. Even though I probably could’ve navigated it on my own, I opted to use Apple Maps, which is integrated with my car’s Apple CarPlay “infotainment center.” It was nice. It told me how many miles I had remaining and my expected time of arrival. But it wasn’t a life changer. @The Old Reader

More than ever before Internet users are now interacting with people living/working in other economies. And as a result of these interactions, there are an increasing number of ‘legal contracts’ (intentional or not). Internet policy researchers and academics debate about the changing landscape and the boundaries of the international and domestic laws, without conclusive agreements. —Yeseul Kim @APNIC

The plague that is Spectre continues to evolve and adapt, showing up in two new variants this week dubbed Spectre 1.1 and Spectre 1.2 that follow the original Spectre’s playbook while expanding on the ways they can do damage. —Curtis Franklin Jr. @Dark Reading

These vast routing events that are propagated globally already provide a hint that some ISPs do not set filters at all, or there are vastly malformed AS-SETs. We decided to measure the number Continue reading

Computer Science Department