On Breaking Things

On this short take over at the Network Collective, I talk about the importance of breaking things.

Worth Reading: $600 billion in cyber crime

Cybercrime is costing businesses close to $600 billion, or 0.8 percent of global GDP, according to a report released today by McAfee, in partnership with the Center for Strategic and International Studies (CSIS). @CircleID

Worth Reading: The SEC issues new disclosure rules

The U.S. Securities and Exchange Commission on Wednesday updated guidance to public companies on how and when they should disclose cyber security risks and breaches, including disclosing potential weaknesses that have not yet been targeted by hackers. —Pete Schroeder @The Free Beacon

Network Collective: Securing BGP

Yet another protocol episode over at the Network Collective. This time, Nick, Jordan, Eyvonne and I talk about BGP security.

Worth Reading: GDPR and what’s next

The compliance deadline for the European Union’s General Data Protection Regulation (GDPR) is nearly upon us, the unveiling of a proposed model to bring WHOIS into compliance is said to come from ICANN next week, and everyone is scrambling to understand all that’s involved. —Fabricio Vayra @CircleID

Worth Reading: Peak DNSSEC?

Given that our current perceptions of the benefits of DNSSEC appear to be overshadowed by our perceptions of the risks in turning on DNSSEC, then the somewhat erratic measures of DNSSEC adoption are perhaps unsurprising. —Geoff Huston@potaroo

Reaction: Billing by the Hour

A very common mistake I see among engineers of all stripes is a failure to fully appreciate the value of time—both what it is worth, and how to make your time more valuable.

What I normally see is something like this—I should be making $x/hour, because I have this specific experience, or that specific skill set. This focus on hourly pay, however, is actually counter productive. For instance, I recently ran across an article in a publication for graphic designers and illustrators (a world I have followed since I lived it in many years ago)—

Billing by the hour is the most popular pricing method across the world in most industries. Of course, there are many web designers/developers out there who make a great living by using the hourly billing method, but in my opinion, value-based billing is far better than hourly billing. —Kyle Prinsloo @Web Designer Depot

To begin, what does Kyle mean when he says to “bill by value” rather than billing by the hour? Once, when I went into a lawyers office, I noticed he had a sign on the wall that said, “Lawyers don’t charge by the bullet.” The point the lawyer was making Continue reading

Worth Reading: Big changes coming to Internet protocols

When the Internet started to become widely used in the 1990s, most traffic used just a few protocols: IPv4 routed packets, TCP turned those packets into connections, SSL (later TLS) encrypted those connections, DNS named hosts to connect to, and HTTP was often the application protocol using it all. —Mark Nottingham @The Internet Society

Weekend Reads 022318: Copyright, walls, and botnets

Rejecting years of settled precedent, a federal court in New York has ruled [PDF] that you could infringe copyright simply by embedding a tweet in a web page. Even worse, the logic of the ruling applies to all in-line linking, not just embedding tweets. If adopted by other courts, this legally and technically misguided decision would threaten millions of ordinary Internet users with infringement liability. —Daniel Nazer @EFF

Security advances throughout the centuries have been mostly technical adjustments in response to evolving weaponry. Fortification — the art and science of protecting a place by imposing a barrier between you and an enemy — is as ancient as humanity. From the standpoint of theory, however, there is very little about modern network or airport security that could not be learned from a 17th century artillery manual. That should trouble us more than it does. —Jack Anderson

Akamai’s Fourth Quarter, 2017 State of the Internet, was released today in which it states that the analysis of more than 7.3 trillion bot requests per month has found a sharp increase in the threat of credential abuse, with more than 40 percent of login attempts being malicious. Additionally, the report warns DDoS attacks Continue reading

Brick Dome and Lamp

Worth Reading: MedSec and hackable IoT

In Fall 2016 I was invited to come to Miami as part of a team that independently x0000_sjm_quadraassuramp20crt20dvalidated some alleged flaws in implantable cardiac devices manufactured by St. Jude Medical (now part of Abbott Labs). These flaws were discovered by a company called MedSec. —Matthew Green @cryptographyengeering

Worth Reading: Analyzing Keilhos

This network forensics video tutorial covers how to analyze SPAM email traffic from the Kelihos botnet. —Erik Hjelmvik @NetRecSec

Short Take: The Broadcom SDKLT Announcement

My first short take at The Network Collective is up discussing the Broadcom SDKLT announcement. Does this really mean the end of vendors or network engineering? You can guess my answer, or you can watch the video and hear it for yourself.

Worth Reading: Cisco’s ASA vulnerability exploited

Hackers are actively trying to exploit a high-severity vulnerability in widely used Cisco networking software that can give complete control over protected networks and access to all traffic passing over them, the company has warned. —Dan Goodin @ARS Technica

Worth Reading: The dawn of OpenSource

Open Source software became a movement 20 years ago this month. To mark the occasion, Christine Peterson shared a never-before-published memoir about that day in February of 1998 when she coined the phrase Open Source. —David Cassel @The New Stack

History of Networking: Policy with Joel Halpern

Policy at Internet scale is a little understood, and difficult (potentially impossible) to solve problem. Joel Halpern joins the History of Networking over at the Network Collective to talk about the history of policy in the Internet at large, and networked systems in general.

Worth Reading: Pushed to th Edge

Anything with a benefit in efficiency will always find its niche, and it will change to plug into new niches as they arise and make use of ever-cheaper technologies as they advance from the edges. —Timothy Prickett Morgan @The Next Platform

Worth Reading: Asking the wrong questions

The National Academy of Sciences (NAS) released a much-anticipated report yesterday that attempts to influence the encryption debate by proposing a “framework for decisionmakers.” At best, the report is unhelpful. At worst, its framing makes the task of defending encryption harder. —Andrew Crocker and Nate Cardozo @EFF

On the ‘net: Spectre, Meltdown, and Flexible Scaleout

The recent Meltdown and Spectre attacks illustrate the problematic nature of modern computing systems. While the earlier Rowhammer attack could read or attack one process running in a virtual environment from another process running on the same processor, the Meltdown and Spectre attacks are of a completely different class, enabling a process to read large amounts of information from another process’ memory space. @GestaltIT

Worth Reading: Three strategies for navigating moral disagreement

We in America and Western Europe, and by now many other places in the world, have this idea of people as fundamentally rational. On this account, our profound cognitive abilities are designed to help us discover objective truths about the world through logical argument and empirical observation. Contemporary research in cognitive science, psychology and related fields paints a much different picture. —Musa Al-Gharbi @Heterodox Academy