Worth Reading: Responsible Encryption Fallacies

Moreover, instead being a solution to cyber threats, law enforcement has become a threat itself. The DNC didn’t have the FBI investigate the attacks from Russia likely because they didn’t want the FBI reading all their files, finding wrongdoing by the DNC. It’s not that they did anything actually wrong, but it’s more like that famous quote from Richelieu “Give me six words written by the most honest of men and I’ll find something to hang him by”. Give all your internal emails over to the FBI and I’m certain they’ll find something to hang you by, if they want. —Robert Graham @ Errata Security

The post Worth Reading: Responsible Encryption Fallacies appeared first on rule 11 reader.

Worth Reading: 10 Layers of Container Security

Containers provide an easy way to package applications and deliver them seamlessly from development to test to production. This helps ensure consistency across a variety of environments, including physical servers, virtual machines (VMs), or private or public clouds. These benefits are leading organizations to rapidly adopt containers in order to easily develop and manage the applications that add business value. —Daniel Oh @ Opensource

The post Worth Reading: 10 Layers of Container Security appeared first on rule 11 reader.

IS-IS Multi Instance: RFC8202

Multi-Instance IS-IS
One of the nice things about IS-IS is the ability to run IPv6 and IPv4 in the same protocol, over a single instance. So long as the two topologies are congruent, deploying v6 as dual stack is very simply. But what if your topologies are not congruent? The figure below illustrates the difference.

In this network, there are two topologies, and each topology has two different set of level 1/level 2 flooding domain boundaries. If topology 1 is running IPv4, and topology 2 is running IPv4, it is difficult to describe such a pair of topologies with “standard” IS-IS. The actual flooding process assumes the flooding domain boundaries are on the same intermediate systems, or that the two topologies are congruent.

One way to solve this problem today is to use IS-IS multi-topology, which allows the IPv6 and IPv4 routing information to be carried in separate TLVs so two different Link State Databases (LSDBs), so each IS can compute a different Shortest Path Tree (SPT), one for IPv4, and another for IPv6. Some engineers might find the concept of multi-topology confusing, and it seems like it might be overkill for other use cases. For instance, perhaps you do Continue reading

Worth Reading: The Largest Hole in Cloud Security

Configuration errors made while using cloud-storage services are common, security experts say, and often occur when users set access permissions so someone outside of the company—say, a vendor—can see data. “More data has been lost due to poor configuration than anything else on the cloud,” says Vincent Liu a partner at Bishop Fox, a computer-security consulting firm. —Robert McMillan @ Market Watch

The post Worth Reading: The Largest Hole in Cloud Security appeared first on rule 11 reader.

Rush Reflection

The post Rush Reflection appeared first on rule 11 reader.

Worth Reading: The Ascendancy of Ethernet Storage Fabrics

It is hard to remember that for decades, whether a system was large or small, its storage was intricately and inescapably linked to its compute. Network attached storage, as pioneered by NetApp, helped break those links between compute and storage in the enterprise at the file level. But it was the advent of storage area networks that allowed for storage to still be reasonably tightly coupled to servers and work at the lower block level, below file systems, while at the same time allowing that storage to scale independently from the number of disks you might jam into a single box. —Timothy Prickett Morgan @ The Next Platform

The post Worth Reading: The Ascendancy of Ethernet Storage Fabrics appeared first on rule 11 reader.

History of Networking: Radia Perlman and Spanning Tree

On this episode of the History of Networking over at the Network Collective, we interviewed Radia Perlman about the origin of Spanning Tree. She is really delightful, and we plan on bringing her back on in the future to talk about other topics in the history of networking technology.

The post History of Networking: Radia Perlman and Spanning Tree appeared first on rule 11 reader.

Forthcoming: Computer Networking Problems and Solutions

The new book should be out around the 29th of December, give or take a few days. For readers interested in what Ethan and I (and Ryan, and Pete Welcher, and Jordan Martin, and Nick Russo, and… the entire list is in the front matter), the general idea is essentially grounded in RFC1925, rule 11. There is really only a moderately sized set of problems computer system needs to solve in order to carry data from one application to another. For instance, in order to transport data across a network, you need to somehow format the data so everyone can agree on how to write and read it, ensure the data is carried without errors, ensure neither the sender nor the receiver overrun or underrun one another, and find some way to allow multiple applications (hosts, etc.), to talk over the same media. These four problems have somewhat proper names, of course: marshaling, which involves dictionaries and grammars; error control; flow control; and multiplexing. So the first step in understanding network engineering is to figure out what the problems are, and how to break them apart.

Once you understand the problems, then you can start thinking about solutions. As Continue reading

Worth Reading: GDPR and Personal Data

With the General Data Protection Regulation (GDPR) becoming effective May 25, 2018, organizations (or rather, organisations) seem to be stressing a bit. Most we speak with are asking, “where do we even start?” or “what is included as personal data under the GDPR?” It is safe to say that these are exactly the questions organizations should be asking, but to know where to start, organizations first need to understand how the GDPR applies to their organization within this new definition for personal data. Without first understanding what to look for, an organization cannot begin to perform data discovery and data mapping exercises, review data management practices and prepare the organization for compliance with the GDPR. —Chris Lippert @ Cloud Security Alliance

The post Worth Reading: GDPR and Personal Data appeared first on rule 11 reader.

Worth Reading: The Importance of Setting Goals

As Tom Garriga, president of Tang Wei Martial Arts Institute, tells us, “A goal is an enemy to be conquered with a battle strategy and the commitment of a warrior. The leadership process is founded on resolve and commitment.” With this in mind, there are several components to the proper setting of goals that every leader should embody. —Chris Brady

The post Worth Reading: The Importance of Setting Goals appeared first on rule 11 reader.

Worth Reading: The Madness of Speed Tests

We know how to X-ray a network, and the results are rather revealing. If you use the right metrics, you can also model the performance limits of any application from the measurements you take. Even a speed test! So you don’t need to snap the wings off your broadband service every time you use it after all. —Martin Geddes @ CircleID

The post Worth Reading: The Madness of Speed Tests appeared first on rule 11 reader.

Adminstravia 20171009

Where’s Russ?

This is my second week of PhD seminars this fall—the only time in this program I intend to take two seminars back to back. One of the two was, in fact, very deep philosophy, so I was pretty taxed trying to pull the material together.

At the same time, the book has passed through technical review, and is now in author review. I hope it soon be in proofs. The combination of these two things, the book and the PhD work, along with multiple other things, is what caused me to call a pause in blogging for these two weeks. The date to watch is the 29th of December. It might be released earlier, but it is hard to tell right now. I will do a post a little later this week describing the book for those who are interested.

Tonight (Monday) I will be recording a new Network Collective show on the Intermediate System to Intermediate System (IS-IS) protocol, and we have a long list of History of Networking guests to bring on. The history material has turned out to be absolutely fascinating; I am thankful we have the connections available, and the recording venue, and someone Continue reading

Worth Reading: Open Source Licenses

Today, the GPL license that Stallman pioneered is in its third version (GNU GPLv3) and is only one of several dozen types of open source licenses. The Open Source Initiative, an organization founded in 1998 to promote open source software and normalize the use of the term, has approved more than 80 open source licenses. These 80 licenses generally fall into one of two categories: permissive licenses and copyleft licenses. —Heather Meeker @OpenSource

The post Worth Reading: Open Source Licenses appeared first on rule 11 reader.

The History of Networking: Tony Li on BGP

The Network Collective has another History of Networking up; this time we’re chatting with Tony Li about the History of BGP. Tony was not involved in the original origins of BGP (the famous napkin, a picture of which you can see in this book), but he did start working on it in around 1996, the year I joined Cisco as a lowly TAC engineer.

The post The History of Networking: Tony Li on BGP appeared first on rule 11 reader.

Light/No Blogging this Week

I’m trying to get through the final bits of this new book (which should publish at the end of December, from what I understand), and the work required for a pair of PhD seminars (a bit over 50 pages of writing). I probably won’t post anything this week so I can get caught up a little, and I might not be posting heavily next week.

I’ll be at SDxE in Austin Tuesday and Wednesday, if anyone wants to find me there.

The post Light/No Blogging this Week appeared first on rule 11 reader.

Worth Reading: Distrusting Symantic Certificates

At the end of July, the Chrome team and the PKI community converged upon a plan to reduce, and ultimately remove, trust in Symantec’s infrastructure in order to uphold users’ security and privacy when browsing the web. This plan, arrived at after significant debate on the blink-dev forum, would allow reasonable time for a transition to new, independently-operated Managed Partner Infrastructure while Symantec modernizes and redesigns its infrastructure to adhere to industry standards. This post reiterates this plan and includes a timeline detailing when site operators may need to obtain new certificates. —Devon O’Brien, Ryan Sleevi, Andrew Whalley @ Google Security

The post Worth Reading: Distrusting Symantic Certificates appeared first on rule 11 reader.

Hanging Bridge

The post Hanging Bridge appeared first on rule 11 reader.

Worth Reading: BlueBorne

Bluetooth is ubiquitous, commonly connecting accessories like headsets and keyboards, but is also used throughout the brave new Internet of Things (IoT) world. An attacker exploiting these BlueBorne vulnerabilities can mount a man-in-the-middle attack, or even take control of a device without the user even noticing it. The vulnerabilities were discovered by a security company called Armis earlier this year. Researchers reached out to the companies responsible for vulnerable implementations that lead to the coordinated disclosure (and patches) on September 12. —Andrei Robachevsky @ The Internet Society

The post Worth Reading: BlueBorne appeared first on rule 11 reader.

Worth Reading: Why you shouldn’t use your face to unlock your phone

Today Apple announced its new FaceID technology. It’s a new way to unlock your phone through facial recognition. All you have to do is look at your phone and it will recognize you and unlock itself. At time of writing, nobody outside of Apple has tested the security of FaceID. So this article is about the security of facial recognition, and other forms of biometric identification in general.Historically, biometric identification has been insecure. … If you value the security of your data — your email, social media accounts, family photos, the history of every place you’ve ever been with your phone — then I recommend against using biometric identification. Instead, use a passcode to unlock your phone. —Quincy Larson @ Free Code Camp

The post Worth Reading: Why you shouldn’t use your face to unlock your phone appeared first on rule 11 reader.

On the ‘net: Fragmentation and IPv6

Does this mean we ban all filtering of traffic on the public Internet, imposing the end-to-end rule in earnest, leaving all security to the end hosts? This does seem to be the flavor of the original IPv6 discussions around stateful packet filters. This does not, however, seem like the most realistic option available; the stronger defense is not a single perfect wall, but rather a series of less than perfect walls. Defense in depth will beat a single firewall every time. Another alternative is to accept another bit of reality we often forget in the network engineering world: abstractions leak. The end-to-end principle describes a perfectly abstracted system capable of carrying traffic from one host to another, and a perfectly abstracted set of hosts between which traffic is being carried.

The full post can be read over at the ECI blog.

The post On the ‘net: Fragmentation and IPv6 appeared first on rule 11 reader.