Russ

Author Archives: Russ

Reaction: Enabling Privacy is not Harmful

The argument for end-to-end encryption is apparently heating up with the work moving forward on TLSv1.3 currently in progress in the IETF. The naysayers, however, are also out in force, arguing that end-to-end encryption is a net negative. What is the line of argument? According to a recent article in CircleID, it seems to be something like this:

  • Governments have a right to asymmetrical encryption capabilities in order to maintain order. In other words, governments have the right to ensure that all private communication is ultimately readable by the government for any lawful purpose.
  • Standards bodies that enable end-to-end encryption that will prevent this absolute governmental good endanger society. The leaders of such standards bodies may, in fact, be prosecuted for their role in subverting government power.

The idea of end-to-end encryption is recast as a form of extremism, a radical idea that should not be supported by the network engineering community. Is end-to-end encryption really extremist? Is it really a threat to the social order?

Let me begin here: this is not just a technical issue. There are two opposing worldviews in play. Engineers don’t often study worldviews, or philosophy, so these questions tend to get buried in Continue reading

Worth Reading: Checklists

Thirty-six seconds after launch, lightning struck the Apollo 12 and its six million pounds of high explosive fuel. The instruments blacked out. Twenty-two seconds later lightning struck again. What few instruments remained started flashing red failure lights. The “you’re about to die” alarm started blaring. Over the radio the crew heard the voice of John Aaron: “Flight, try SCE to Aux.” Astronaut Alan Bean flipped the tiny switch immediately. —Jonathan Solórzano-Hamilton @ Free Code Camp

Worth Reading: Low Earth Satellite Internet Access

Satellites are now cheaper, smaller and lighter. OneWeb and their manufacturing partner Airbus say automation and re-design will enable them to manufacture three satellites per day at a cost of less than $1 million each and launch cost per satellite will be low since they are small and light. In a talk at the opening of the SpaceX satellite engineering office in 2015, CEO and Lead Designer Elon Musk expressed confidence that they would be able to mass produce satellites and also pointed out that the failure of one or a few satellites in a constellation of thousands was relatively unimportant. If a satellite fails, the remaining satellites will route around it, and increased tolerance of failure reduces manufacturing cost. —Larry Pess @ CircleID

Worth Reading: Hack it back is a bad idea

If there were a prize for the worst cybersecurity policy idea that just won’t die, it would have to go to “hacking back,” or making it legal for people to attack the computers that are attacking them. This idea has been around for years, which means that for years, people have been warning that this is a very bad idea—it’s not the first time I’ve written about this topic myself. But it’s a strangely persistent piece of policy, regardless of the fact that it’s been condemned by just about everyone, including law enforcement, and openly endorsed by almost no one. —Josephine Wolff @ Slate

Worth Reading: The calm before the IoT Storm (Reaper)

It’s been just over a year since the world witnessed some of the world’s top online Web sites being taken down for much of the day by “Mirai,” a zombie malware strain that enslaved “Internet of Things” (IoT) devices such as wireless routers, security cameras and digital video recorders for use in large-scale online attacks. Now, experts are sounding the alarm about the emergence of what appears to be a far more powerful strain of IoT attack malware — variously named “Reaper” and “IoTroop” — that spreads via security holes in IoT software and hardware. And there are indications that over a million organizations may be affected already. —Krebs on Security

Applying Software Agility to Network Design

The paper we are looking at in this post is tangential to the world of network engineering, rather than being directly targeted at network engineering. The thesis of On Understanding Software Agility—A Social Complexity Point of View, is that at least some elements of software development are a wicked problem, and hence need to be managed through complexity. The paper sets the following criteria for complexity—

  • Interaction: made up of a lot of interacting systems
  • Autonomy: subsystems are largely autonomous within specified bounds
  • Emergence: global behavior is unpredictable, but can be explained in subsystem interactions
  • Lack of equilibrium: events prevent the system from reaching a state of equilibrium
  • Nonlinearity: small events cause large output changes
  • Self-organization: self-organizing response to disruptive events
  • Co-evolution: the system and its environment adapt to one another

It’s pretty clear network design and operation would fit into the 7 points made above; the control plane, transport protocols, the physical layer, hardware, and software are all subsystems of an overall system. Between these subsystems, there is clearly interaction, and each subsystem acts autonomously within bounds. The result is a set of systemic behaviors that cannot be predicted from examining the system itself. The network design process is, Continue reading

Worth Reading: An observatory for path transparency measurement

Though the end-to-end principle and the four-layer TCP/IP architecture suggest that what happens above the IPv4 or IPv6 header isn’t any of the network’s business, the widespread deployment of firewalls, network address translators, proxies, and other middleboxes at layers four and seven mean that, in practice, TCP usually works, UDP usually works, and for everything else, your mileage may vary. —Brian Trammell @ APNIC

Worth Reading: Raw sockets in IPv6

As part of a measurement experiment, we wanted an implementation of an IPv6 UDP server and a TCP server that generated fragmented IPv6 packets. However, as an added condition, we wanted the application to directly control the packet fragmentation function. The conventional standard socket interface masks any visibility to the underlying packet transactions, and therefore cannot be used for this experiment. —Geoff Huston @Potaroo

Several on KRACK

Three articles of interest on the new WiFi KRACK—

This is not a crypto bug but a protocol bug (a pretty obvious and trivial protocol bug). When a client connects to the network, the access-point will at some point send a random “key” data to use for encryption. Because this packet may be lost in transmission, it can be repeated many times. What the hacker does is just repeatedly sends this packet, potentially hours later. Each time it does so, it resets the “keystream” back to the starting conditions. The obvious patch that device vendors will make is to only accept the first such packet it receives, ignore all the duplicates. —Robert Graham @Errata Security

So this is essentially a replay attack—something that is not taken seriously enough in the security world, by and large.

Researchers this week published information about a newfound, serious weakness in WPA2 — the security standard that protects all modern Wi-Fi networks. What follows is a short rundown on what exactly is at stake here, who’s most at-risk from this vulnerability, and what organizations and individuals can do about it. —Krebs on Security

And, finally, an article on protecting your network from KRACK—

Wi-Fi is Continue reading

Worth Reading: 4 Tips to Fight Propoganda

Disturbingly, both men confirmed the totality of propaganda in our society. And they did that many, many decades ago and well before the internet, social media, cable TV, or data mining. By 2017, many generations have been raised from infancy immersed in corporate, political, and ideological propaganda. Your grandparents were victims of propaganda, your parents were victims of propaganda, and you are, without a doubt, a victim of propaganda. —Devin Foley @Intellectual Takeout

The post Worth Reading: 4 Tips to Fight Propoganda appeared first on rule 11 reader.

On the ‘web: Failure Isn’t an Option

As I have been told many times, these sorts of Chaos Monkey things simply cannot be applied to the average “enterprise grade” network. For instance, “if you think the hospital administration is going to allow me to break things randomly to see how these systems work, you are crazy—people’s lives depend on this stuff!” Or, “this is all fine when you are dealing with maybe losing your photographs of that last hamburger you ate; you’d think twice if you were losing your checking account.” —ECI

The post On the ‘web: Failure Isn’t an Option appeared first on rule 11 reader.

Worth Reading: TLS and Data Center Monitoring

Over the course of four years, Transport Layer Security (TLS) 1.3 has been designed to be more secure in order to prevent the interception of sessions over the Internet. It has a more secure key exchange, based on the Elliptic Curve Diffie-Hellman algorithm, formally deprecating the use of RSA static keys to ensure forward secrecy (FS). The end user and privacy were top-of-mind with this and other TLS working group consensus decisions when the zero round trip time (0-RTT) option is not in use. —Kathleen Moriarty @APNIC

The post Worth Reading: TLS and Data Center Monitoring appeared first on rule 11 reader.

BGPsec and Reality

From time to time, someone publishes a new blog post lauding the wonderfulness of BGPsec, such as this one over at the Internet Society. In return, I sometimes feel like I am a broken record discussing the problems with the basic idea of BGPsec—while it can solve some problems, it creates a lot of new ones. Overall, BGPsec, as defined by the IETF Secure Interdomain (SIDR) working group is a “bad idea,” a classic study in the power of unintended consequences, and the fond hope that more processing power can solve everything. To begin, a quick review of the operation of BGPsec might be in order. Essentially, each AS in the AS Path signs the “BGP update” as it passes through the internetwork, as shown below.

In this diagram, assume AS65000 is originating some route at A, and advertising it to AS65001 and AS65002 at B and C. At B, the route is advertised with a cryptographic signature “covering” the first two hops in the AS Path, AS65000 and AS65001. At C, the route is advertised with a cryptogrphic signature “covering” the first two hops in the AS Path, AS65000 and AS65002. When F advertises this route to H, at Continue reading

Worth Reading: The Economics of DDoS

These days, there are typically three parties to a distributed denial of service attack. You probably know about two of them: the perpetrator and the target. Less well known is the vast and growing number of third-party providers of DDoS attacks as a service. Brazenly advertising their wares online, these providers will perform an attack on the customer’s behalf and provide detailed reports of their accomplishments. Their fees are shrinking due to rapidly expanding competition and the abundant supply of readily available attack resources, such as botnets. As a result, the DDoS attack business is very much a buyer’s market. —Kevin Whalen @Arbor

The post Worth Reading: The Economics of DDoS appeared first on rule 11 reader.

1 76 77 78 79 80 163