Worth Reading: Reopening the going dark debate

Just over a week ago, at the BlackHat hacker convention in Las Vegas, Ivan Krstić, Head of Security Engineering and Architecture at Apple gave a talk entitled “Behind the scenes of iOS Security,” the slides of which are available here. It’s a historic talk for a couple of reasons. First, Apple is traditionally very secretive about how it technically does security on its devices. Apple also announced its first bug bounty program. So far, so newsworthy. But something else happened at that talk. Unbeknownst to the presenter or anybody in the audience, Apple just reopened the “Going Dark” dispute between the FBI and the privacy community, and it turned the entire dispute on its head. —Lawfare

The post Worth Reading: Reopening the going dark debate appeared first on 'net work.

Beware the network without an operator

A lot of people seem to be looking forward to the day we build a network without an operator; to wit—

Containerized solutions and machine learning may soon be more than tangentially related. Containerized solutions will usher in an era of operations that don’t require human intervention. Once humans are taken out of operations, we will be free to apply machine learning techniques to what is left. —The New Stack

I hope not, because machines are more brittle than humans. Totally automated security fails much more often than security that uses a blend of people and algorithms. Machines do well at repetitive tasks, humans at catching the things that don’t fit into the algorithm’s state machine. Taking the person out of the network just means there’s no-one there to see when the state machine fails.

And it will fail—at some point. I know we like to believe that machines break less often, but I’m pretty certain there’s a counterpoint to this: when machines break, it’s more likely to be catastrophic. I’m not convinced replacing people with algorithms always reduces damage so much as move the potential damage around.

I hope not, because machines separate the decision from the decision maker. Continue reading

Worth Reading: Container defense in depth

The new age of image-based containers exploded onto the scene in early to mid-2013. Since the early days of the Docker container engine, we heard questions of whether they were secure enough. Our very own Dan Walsh was heard many times saying, “Docker containers don’t contain” — so the question is, can we safely use them? Especially in production? —The New Stack

The post Worth Reading: Container defense in depth appeared first on 'net work.

Worth Reading: Your chance to say no

“Passport and flight number, please. What brings you to the States? Duration of stay?” “LinkedIn username? OKCupid handle?” No, the U.S. Customs officer is not trolling you. If the Department of Homeland Security has its way, these will be standard questions for people visiting the United States. The DHS recently issued a proposal to ask tourists on visa waivers to share their “online presence” on the I-94W and the online application for the Electronic System for Travel Authorization (ESTA), including the social networks they use and their corresponding “identifiers”—their handles or account names. —CDT

The post Worth Reading: Your chance to say no appeared first on 'net work.

Self-Improvement Through Time Travel

There are some days I wish I could travel back in time and “fix” the time I wasted through an hour, a day, or a week working on something that really wasn’t worth my time, or just wandering through links on the Internet, looking at things I don’t really (ultimately) care about. My time management skills are, honestly, often lacking. There doesn’t seem to be a way, does there, though?

Or maybe there is. Let’s twist our brains a little and think about it this way. Tomorrow is going to be the day we wish we could travel into from the day after tomorrow to fix, right? So what if we did reverse time travel and fix tomorrow today? Sure, sounds nice, but how? The answer might seem a little trivial, but it’s only apparently trivial, rather than trivial in real life.

Once answer is the humble todo list. I know, you’ve made one of these before—in fact, you probably already have one, don’t you? And it’s never really helped, right? Well, let’s see if we can figure out how to supercharge to make it a bit more effective. To begin, we have to try to understand how a todo Continue reading

Worth Reading: Tracking the hackers

The e-mail from Google arrived at 4:09 AM on March 22 and contained an ominous alert for its recipient, William Rinehart, a staffer with Hillary Clinton’s presidential campaign. “Someone has your password,” the e-mail’s subject line declared. “Someone just used your password to try to sign in to your Google Account,” warned the message, which reported that the incursion attempt came from an IP address in Ukraine. —the smoking gun

The post Worth Reading: Tracking the hackers appeared first on 'net work.

Worth Reading: Network monitoring

I encounter a lot of sites that ignore syslog. Yes, there’s a large noise-to-signal ratio there. There are free tools that summarize the syslog data, and there are golden needles in the haystack as well. A tool like Splunk or syslog-NG (free in most Linux distributions) can help you send alerts based on the items of interest. Splunk can also give you frequency count based reports to separate out repeated happenings that might be of concern from one-time blips that aren’t worth investigating. —Netcraftsmen

The post Worth Reading: Network monitoring appeared first on 'net work.

On the ‘net: Crashes and Complexity

It’s a familiar story by now: on the 8th of August, 2016, Delta lost power to its Atlanta data center, causing the entire data center to fail. Thousands of flights were cancelled, many more delayed, and tens of thousands of travellers stranded. What’s so unusual about this event is in the larger scheme of network engineering, it’s not that unusual. If I think back to my time on the Escalation Team at a large vendor, I can think of hundreds of situations like this. And among all those events, there is one point in common: it takes longer to boot the system than it does to fix the initial problem. —CircleID

The post On the ‘net: Crashes and Complexity appeared first on 'net work.

Worth Reading: Networking needs information, not data

Data is useless. We need to perform analysis on it to get information. That’s where a new wave of companies is coming into the networking market. They are building on the frameworks and systems that are aggregating data and presenting it in a way that makes it useful information. Instead of random data points about NetFlow, these solutions tell you that you’ve got a huge problem with outbound traffic of a specific type that is sent at a specific time with a specific payload. The difference is that instead of sorting through data to make sense of it, you’ve got a tool delivering the analysis instead of the raw data. —Networking Nerd

The post Worth Reading: Networking needs information, not data appeared first on 'net work.

Worth Reading: IPv6 inside LinkedIn

Adding a new network stack requires that the security is at least equivalent to the previous IPv4 security. One approach could be to use a filter to deny all IPv6 traffic and work from there. However, once a device becomes IPv6 aware, you may break services if the device cannot reach the destination over IPv6 and the application either does not gracefully fallback to IPv4 or does not do so in a timely manner. Therefore, we took a different approach. —LinkedIn Engineering Blog

The post Worth Reading: IPv6 inside LinkedIn appeared first on 'net work.

snaproute Go BGP Code Dive (8): Moving to Open

Last week we left off with our BGP peer in connect state after looking through what this code, around line 261 of fsm.go in snaproute’s Go BGP implementation—

func (st *ConnectState) processEvent(event BGPFSMEvent, data interface{}) {
  switch event {
  ....
    case BGPEventConnRetryTimerExp:
      st.fsm.StopConnToPeer()
      st.fsm.StartConnectRetryTimer()
      st.fsm.InitiateConnToPeer()
....

What we want to do this week is pick up our BGP peering process, and figure out what the code does next. In this particular case, the next step in the process is fairly simple to find, because it’s just another case in the switch statement in (st *ConnectState) processEvent—

case BGPEventTcpCrAcked, BGPEventTcpConnConfirmed:
  st.fsm.StopConnectRetryTimer()
  st.fsm.SetPeerConn(data)
  st.fsm.sendOpenMessage()
  st.fsm.SetHoldTime(st.fsm.neighborConf.RunningConf.HoldTime,
    st.fsm.neighborConf.RunningConf.KeepaliveTime)
  st.fsm.StartHoldTimer()
  st.BaseState.fsm.ChangeState(NewOpenSentState(st.BaseState.fsm))
....

This looks like the right place—we’re looking at events that occur while in the connect state, and the result seems to be sending an open message. Before we move down this path, however, I’d like to be certain I’m chasing the right call chain, or logical thread. How can I do this? This code is called when (st *ConnectState) processEvent is called with an event Continue reading

Worth Reading: The future of networking with Pete Lumbis

The next person I interviewed about the future of networking is my friend Pete Lumbis. Pete used to be the routing escalations TAC leader at Cisco and now he is working at Cumulus as a SE. Pete holds both a CCIE and a CCDE. —Lost in Transit

The post Worth Reading: The future of networking with Pete Lumbis appeared first on 'net work.

Worth Reading: Email optimization

In Part 1 of this series, we introduced the problem of email volume optimization. We showed that on the one hand, email is among the principal drivers of engagement, but on the other hand, excessive email volume results in increased negative responses such as members unsubscribing from an email type or reporting emails as spam. We discussed an approach for email volume optimization that minimizes email volume while maximizing downstream sessions and minimizing the number of member complaints (unsubscribes and spam reports). In this post, we’ll discuss our learnings from this approach and describe our new, improved approach that has resulted. —LinkedIn Engineering Blog

The post Worth Reading: Email optimization appeared first on 'net work.

In Flight

The post In Flight appeared first on 'net work.

Worth Reading: NTP is still a security risk

The Network Time Protocol (NTP) has been in the news a number of times over the past couple of years because of attacks on the protocol, vulnerabilities in the daemon, and the use of NTP in DDoS attacks. In each case, the developers of NTP have responded quickly with fixes or recommendations for remediating these attacks. Additionally, the development team has continued to look ahead and has worked to enhance the security of NTP. —CircleID

The post Worth Reading: NTP is still a security risk appeared first on 'net work.

Worth Reading: Living in an age of cyber extortion

One of the most famous examples of DDoS attacks used for extortion was attributed to an attacker using the moniker “DD4BC,” which stands for “DDoS for Bitcoin.” ASERT wrote about this in June. Due to DD4BC’s success copy cats emerged and these types of attacks spread quickly around the world. In fact, there have been stories reported of “copy cats of copy cats,” simply threatening to launch DDoS attacks in exchange for bitcoin – even though they had no such botnet at their disposal. —Arbor

The post Worth Reading: Living in an age of cyber extortion appeared first on 'net work.

Worth Reading: Physics and distributed systems

If you squint hard enough, many of the challenges of distributed computing appear similar to the work done by the great physicists. Dang, those fellows were smart! Here, we examine some of the most important physics breakthroughs and draw some whimsical parallels to phenomena in the world of computing… just for fun. —ACM Queue

The post Worth Reading: Physics and distributed systems appeared first on 'net work.

Worth Reading: Hacking wireless keyboards

You should be able to trust your wireless keyboard. And yet security researchers have been warning people to be suspicious of wireless computer accessories using sketchy radio protocols for years. Those warnings peaked five months ago, when hackers at the security firm Bastille found that millions of cheap keyboard and mouse dongles let hackers inject keystrokes onto your machine from hundreds of yards away. Now, in case you missed that message, the same researchers have extended their attack to millions more devices—and this time, they can not only inject keystrokes, but also read yours, too. —Wired

The post Worth Reading: Hacking wireless keyboards appeared first on 'net work.

DC Fabric Segment Routing Use Case (3)

In the second post in this series, we considered the use of IGP-Prefix segments to carry a flow along a specific path in a data center fabric. Specifically, we looked at pulling the green flow in this diagram—

—along the path [A,F,G,D,E]. Let’s assume this single flow is an elephant flow that we’re trying to separate out from the rest of the traffic crossing the fabric. So—we’ve pulled the elephant flow onto its own path, but this still leaves other flows to simple ECMP forwarding through the fabric. This means some number of other flows are still going to follow the [A,F,G,D,E] path. The flows that are randomly selected (or selected by the ECMP has) to follow the same path as the elephant flow are still going to contend with the elephant flow for queue space, etc.

So we need more than just a way to pull an elephant flow onto a specific path. In fact, we also need a way to pull a specific set of flows off a particular path in the ECMP set. Returning to our diagram, assume we want all the traffic other than the elephant flow to be load shared between H and B, and Continue reading

Worth Reading: Exploiting man in the middle against HTTPS

A key guarantee provided by HTTPS encryption is that the addresses of visited websites aren’t visible to attackers who may be monitoring an end user’s network traffic. Now, researchers have devised an attack that breaks this protection. The attack can be carried out by operators of just about any type of network, including public Wi-Fi networks, which arguably are the places where Web surfers need HTTPS the most. It works by abusing a feature known as WPAD—short for Web Proxy Autodisovery—in a way that exposes certain browser requests to attacker-controlled code. —ARS Technica

The post Worth Reading: Exploiting man in the middle against HTTPS appeared first on 'net work.