Because of the Infineon Disaster of 2017 lots of TPM and Yubikey keys have to be regenerated.
I have previously blogged about how to create these keys inside the yubikey, so here’s just the short version of how to redo it by generating the key in software and importing it into the yubikey.
When it appears to stall, that’s when it’s waiting for a touch.
openssl genrsa -out key.pem 2048
openssl rsa -in key.pem -outform PEM -pubout -out public.pem
yubico-piv-tool -s 9a -a import-key --touch-policy=always -i key.pem
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S '/CN=my SSH key/' -i public.pem -o cert.pem
yubico-piv-tool -a import-certificate -s 9a -i cert.pem
rm key.pem public.pem cert.pem
ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -e
Delete all mentions of previous key. It’s good to have a disaster plan ahead of time if keys need to be replaced, but if you don’t have one:
~/.ssh/authorized_keys
)Because of the Infineon Disaster of 2017 lots of TPM and Yubikey keys have to be regenerated.
I have previously blogged about how to create these keys inside the yubikey, so here’s just the short version of how to redo it by generating the key in software and importing it into the yubikey.
When it appears to stall, that’s when it’s waiting for a touch.
openssl genrsa -out key.pem 2048
openssl rsa -in key.pem -outform PEM -pubout -out public.pem
yubico-piv-tool -s 9a -a import-key --touch-policy=always -i key.pem
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S '/CN=my SSH key/' -i public.pem -o cert.pem
yubico-piv-tool -a import-certificate -s 9a -i cert.pem
rm key.pem public.pem cert.pem
ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -e
Delete all mentions of previous key. It’s good to have a disaster plan ahead of time if keys need to be replaced, but if you don’t have one:
~/.ssh/authorized_keys
)Between 11:09 and 11:27 UTC traffic for many large CDN was rerouted through Brazil. Below an example for the Internet’s most famous prefix 8.8.8.0/24 (Google DNS)Some Google services seem to have been hijacked for roughly 15 minutes. Seen anything? @atoonk @bgpmon @bgpstream
— Fusl Neko Shy Dash (@OhNoItsFusl) October 21, 2017
MTR: https://t.co/RyCoE7zMld pic.twitter.com/DCT2JpKgsc
I was out at Gartner Catalyst in London in September, speaking to IT professionals about their data center deployments. It was an enjoyable time engaging actively with other like-minded technical individuals that were interested in leveraging the boundaries of their technologies to drive greater business efficiencies and competitiveness.
The common theme across all the attendees I spoke to was the urge for containerization, flexibility of design and rapid deployment. These IT professionals were being tasked with reacting faster, and building more rapidly scalable environment. For their server and application needs, they all had turned to open solutions in Linux, leveraging operating systems such as Red Hat Enterprise Linux, Centos, Ubuntu, and orchestration tools such as Mesos and Docker Swarm to control Docker containers. The common point I saw was that all the compute infrastructure relied on open solutions that allowed for greater simplicity without sacrificing flexibility.
I would then ask these same IT professionals: “what do you use in for network infrastructure in these data centers?”
Universally, the response would come back: “Cisco” or “Arista” or “Juniper.”
I would push them: “Why?”
“Because it’s what we’ve always done.”
“It’s all we know.”
“No one ever Continue reading
For the last year I have been working a lot with IWAN which is Cisco’s SD-WAN implementation (before Viptela acquisition).
One of the important aspects of SD-WAN is to be able to load balance the traffic. Load balancing traffic is not trivial in all situations though. Why not?
If you have a site where you have two MPLS circuits or two internet circuits and they both have the same amount of bandwidth, then things are simple. Or at least, relatively simple. Let’s say that you have a site with two 100 Mbit/s internet circuits. This means that we can do equal cost multi pathing (ECMP). If a flow ends up on link A or link B doesn’t matter. The flow will have an equal chance of utilizing as much bandwidth as it needs on either link. Now, there are still some things we need to consider even in the case of ECMP.
The size of flows – Some flows are going to be much larger than others, such as transfering files through CIFS or other protocols, downloading something from the internet versus something like Citrix traffic which is generally smaller packets and don’t consume a lot of bandwidth.
The number Continue reading
Containers are expected to see an adoption surge next year.
It’s only four days since we were blessed with news of the KRACK vulnerability in WPA2, so what have we learned now that we’ve had some time to dig into the problem?
In terms of patching wireless access points the good news is that most of the enterprise vendors at least are on the ball and have either released patches, have them in testing, or have at least promised them in the near future. While one of the primary victims of KRACK in these devices is 802.11r (Fast Roaming) which is not likely to be used in most home environments, it’s more common to see repeater or mesh functionality in the home, and because the AP acts as a wireless client in these cases, it is susceptible to the vulnerability. So if you just have a single AP in the home, chances are that updating the firmware because of KRACK is not that urgent. That’s probably a good thing given the number of wireless access points embedded in routers managed by internet providers, running on old and unsupported hardware, or created by vendors who are no longer in business.
The clients are where Continue reading
Cloud security threats are "moving up the stack."
GE partners with Apple on IoT; Intel invests $60 million in 15 technology startups; Alibaba works with Red Hat.
Company is accelerating its $10 billion cost restructuring plan.
Cable operators frown upon questions about a conflict between CCAP and Remote PHY.
The next serious update will include AI and edge computing support.