Worth Reading: What Sauron Tells Us

Last week, both Symantec and Kaspersky released a series of reports on a nation-state malware attacker dubbed alternately “Strider” or “Sauron.” Although neither formally attributes the attack to any particular country, reading between the lines it is pretty clear: The U.S. was Here. Attributing malcode is always questionable, and there is some possibility this is not the (rather excellent) work of the NSA but instead some the efforts of a FVEY ally. But—given the quality, the modular nature, target selection, and lots of other details—the smart money is on this being from our friends at Fort Meade. If we assume that it is, what does this mean? —Lawfare

The post Worth Reading: What Sauron Tells Us appeared first on 'net work.

Worth Reading: Lawless government hacking

In our society, the rule of law sets limits on what government can and cannot do, no matter how important its goals. To give a simple example, even when chasing a fleeing murder suspect, the police have a duty not to endanger bystanders. The government should pay the same care to our safety in pursuing threats online, but right now we don’t have clear, enforceable rules for government activities like hacking and “digital sabotage.” And this is no abstract question—these actions increasingly endanger everyone’s security. —Deep Links

The post Worth Reading: Lawless government hacking appeared first on 'net work.

Pelican

The post Pelican appeared first on 'net work.

Worth Reading: Hosts versus the network

There are a number of ways to view the relationship between hosts and the network in the Internet. One view is that this is an example of two sets of cooperating entities that share a common goal: hosts and the network both want content to be delivered. Both have an interest in seeing this delivery happen quickly, efficiently and without fuss. This leads to one view of the relationship between hosts and the network: the more the elements of the network provide the host with a description of their capabilities and connectivity, and the more the host provides the network with a description of the desired treatment of their traffic flow, the more harmonious the relationship, and the better the carriage service can attune its service response to match the host’s requirements, and vice versa. —Potaroo

The post Worth Reading: Hosts versus the network appeared first on 'net work.

Worth Reading: Reopening the going dark debate

Just over a week ago, at the BlackHat hacker convention in Las Vegas, Ivan Krstić, Head of Security Engineering and Architecture at Apple gave a talk entitled “Behind the scenes of iOS Security,” the slides of which are available here. It’s a historic talk for a couple of reasons. First, Apple is traditionally very secretive about how it technically does security on its devices. Apple also announced its first bug bounty program. So far, so newsworthy. But something else happened at that talk. Unbeknownst to the presenter or anybody in the audience, Apple just reopened the “Going Dark” dispute between the FBI and the privacy community, and it turned the entire dispute on its head. —Lawfare

The post Worth Reading: Reopening the going dark debate appeared first on 'net work.

Beware the network without an operator

A lot of people seem to be looking forward to the day we build a network without an operator; to wit—

Containerized solutions and machine learning may soon be more than tangentially related. Containerized solutions will usher in an era of operations that don’t require human intervention. Once humans are taken out of operations, we will be free to apply machine learning techniques to what is left. —The New Stack

I hope not, because machines are more brittle than humans. Totally automated security fails much more often than security that uses a blend of people and algorithms. Machines do well at repetitive tasks, humans at catching the things that don’t fit into the algorithm’s state machine. Taking the person out of the network just means there’s no-one there to see when the state machine fails.

And it will fail—at some point. I know we like to believe that machines break less often, but I’m pretty certain there’s a counterpoint to this: when machines break, it’s more likely to be catastrophic. I’m not convinced replacing people with algorithms always reduces damage so much as move the potential damage around.

I hope not, because machines separate the decision from the decision maker. Continue reading

Worth Reading: Container defense in depth

The new age of image-based containers exploded onto the scene in early to mid-2013. Since the early days of the Docker container engine, we heard questions of whether they were secure enough. Our very own Dan Walsh was heard many times saying, “Docker containers don’t contain” — so the question is, can we safely use them? Especially in production? —The New Stack

The post Worth Reading: Container defense in depth appeared first on 'net work.

Worth Reading: Your chance to say no

“Passport and flight number, please. What brings you to the States? Duration of stay?” “LinkedIn username? OKCupid handle?” No, the U.S. Customs officer is not trolling you. If the Department of Homeland Security has its way, these will be standard questions for people visiting the United States. The DHS recently issued a proposal to ask tourists on visa waivers to share their “online presence” on the I-94W and the online application for the Electronic System for Travel Authorization (ESTA), including the social networks they use and their corresponding “identifiers”—their handles or account names. —CDT

The post Worth Reading: Your chance to say no appeared first on 'net work.

Self-Improvement Through Time Travel

There are some days I wish I could travel back in time and “fix” the time I wasted through an hour, a day, or a week working on something that really wasn’t worth my time, or just wandering through links on the Internet, looking at things I don’t really (ultimately) care about. My time management skills are, honestly, often lacking. There doesn’t seem to be a way, does there, though?

Or maybe there is. Let’s twist our brains a little and think about it this way. Tomorrow is going to be the day we wish we could travel into from the day after tomorrow to fix, right? So what if we did reverse time travel and fix tomorrow today? Sure, sounds nice, but how? The answer might seem a little trivial, but it’s only apparently trivial, rather than trivial in real life.

Once answer is the humble todo list. I know, you’ve made one of these before—in fact, you probably already have one, don’t you? And it’s never really helped, right? Well, let’s see if we can figure out how to supercharge to make it a bit more effective. To begin, we have to try to understand how a todo Continue reading

Worth Reading: Tracking the hackers

The e-mail from Google arrived at 4:09 AM on March 22 and contained an ominous alert for its recipient, William Rinehart, a staffer with Hillary Clinton’s presidential campaign. “Someone has your password,” the e-mail’s subject line declared. “Someone just used your password to try to sign in to your Google Account,” warned the message, which reported that the incursion attempt came from an IP address in Ukraine. —the smoking gun

The post Worth Reading: Tracking the hackers appeared first on 'net work.

Worth Reading: Network monitoring

I encounter a lot of sites that ignore syslog. Yes, there’s a large noise-to-signal ratio there. There are free tools that summarize the syslog data, and there are golden needles in the haystack as well. A tool like Splunk or syslog-NG (free in most Linux distributions) can help you send alerts based on the items of interest. Splunk can also give you frequency count based reports to separate out repeated happenings that might be of concern from one-time blips that aren’t worth investigating. —Netcraftsmen

The post Worth Reading: Network monitoring appeared first on 'net work.

On the ‘net: Crashes and Complexity

It’s a familiar story by now: on the 8th of August, 2016, Delta lost power to its Atlanta data center, causing the entire data center to fail. Thousands of flights were cancelled, many more delayed, and tens of thousands of travellers stranded. What’s so unusual about this event is in the larger scheme of network engineering, it’s not that unusual. If I think back to my time on the Escalation Team at a large vendor, I can think of hundreds of situations like this. And among all those events, there is one point in common: it takes longer to boot the system than it does to fix the initial problem. —CircleID

The post On the ‘net: Crashes and Complexity appeared first on 'net work.

Worth Reading: Networking needs information, not data

Data is useless. We need to perform analysis on it to get information. That’s where a new wave of companies is coming into the networking market. They are building on the frameworks and systems that are aggregating data and presenting it in a way that makes it useful information. Instead of random data points about NetFlow, these solutions tell you that you’ve got a huge problem with outbound traffic of a specific type that is sent at a specific time with a specific payload. The difference is that instead of sorting through data to make sense of it, you’ve got a tool delivering the analysis instead of the raw data. —Networking Nerd

The post Worth Reading: Networking needs information, not data appeared first on 'net work.

Worth Reading: IPv6 inside LinkedIn

Adding a new network stack requires that the security is at least equivalent to the previous IPv4 security. One approach could be to use a filter to deny all IPv6 traffic and work from there. However, once a device becomes IPv6 aware, you may break services if the device cannot reach the destination over IPv6 and the application either does not gracefully fallback to IPv4 or does not do so in a timely manner. Therefore, we took a different approach. —LinkedIn Engineering Blog

The post Worth Reading: IPv6 inside LinkedIn appeared first on 'net work.

snaproute Go BGP Code Dive (8): Moving to Open

Last week we left off with our BGP peer in connect state after looking through what this code, around line 261 of fsm.go in snaproute’s Go BGP implementation—

func (st *ConnectState) processEvent(event BGPFSMEvent, data interface{}) {
  switch event {
  ....
    case BGPEventConnRetryTimerExp:
      st.fsm.StopConnToPeer()
      st.fsm.StartConnectRetryTimer()
      st.fsm.InitiateConnToPeer()
....

What we want to do this week is pick up our BGP peering process, and figure out what the code does next. In this particular case, the next step in the process is fairly simple to find, because it’s just another case in the switch statement in (st *ConnectState) processEvent—

case BGPEventTcpCrAcked, BGPEventTcpConnConfirmed:
  st.fsm.StopConnectRetryTimer()
  st.fsm.SetPeerConn(data)
  st.fsm.sendOpenMessage()
  st.fsm.SetHoldTime(st.fsm.neighborConf.RunningConf.HoldTime,
    st.fsm.neighborConf.RunningConf.KeepaliveTime)
  st.fsm.StartHoldTimer()
  st.BaseState.fsm.ChangeState(NewOpenSentState(st.BaseState.fsm))
....

This looks like the right place—we’re looking at events that occur while in the connect state, and the result seems to be sending an open message. Before we move down this path, however, I’d like to be certain I’m chasing the right call chain, or logical thread. How can I do this? This code is called when (st *ConnectState) processEvent is called with an event Continue reading

Worth Reading: The future of networking with Pete Lumbis

The next person I interviewed about the future of networking is my friend Pete Lumbis. Pete used to be the routing escalations TAC leader at Cisco and now he is working at Cumulus as a SE. Pete holds both a CCIE and a CCDE. —Lost in Transit

The post Worth Reading: The future of networking with Pete Lumbis appeared first on 'net work.

Worth Reading: Email optimization

In Part 1 of this series, we introduced the problem of email volume optimization. We showed that on the one hand, email is among the principal drivers of engagement, but on the other hand, excessive email volume results in increased negative responses such as members unsubscribing from an email type or reporting emails as spam. We discussed an approach for email volume optimization that minimizes email volume while maximizing downstream sessions and minimizing the number of member complaints (unsubscribes and spam reports). In this post, we’ll discuss our learnings from this approach and describe our new, improved approach that has resulted. —LinkedIn Engineering Blog

The post Worth Reading: Email optimization appeared first on 'net work.

In Flight

The post In Flight appeared first on 'net work.

Worth Reading: NTP is still a security risk

The Network Time Protocol (NTP) has been in the news a number of times over the past couple of years because of attacks on the protocol, vulnerabilities in the daemon, and the use of NTP in DDoS attacks. In each case, the developers of NTP have responded quickly with fixes or recommendations for remediating these attacks. Additionally, the development team has continued to look ahead and has worked to enhance the security of NTP. —CircleID

The post Worth Reading: NTP is still a security risk appeared first on 'net work.

Worth Reading: Living in an age of cyber extortion

One of the most famous examples of DDoS attacks used for extortion was attributed to an attacker using the moniker “DD4BC,” which stands for “DDoS for Bitcoin.” ASERT wrote about this in June. Due to DD4BC’s success copy cats emerged and these types of attacks spread quickly around the world. In fact, there have been stories reported of “copy cats of copy cats,” simply threatening to launch DDoS attacks in exchange for bitcoin – even though they had no such botnet at their disposal. —Arbor

The post Worth Reading: Living in an age of cyber extortion appeared first on 'net work.