Worth Reading: Optical Outlook in the Data Center

Optical signal to noise imposes a limit that caps the aggregate data that can be transported over a single fiber. We’ve been testing this limit for almost a decade, first in long-haul (inter–data center) and now short-range (intra–data center) connections with speeds of 200Gbps and above to accommodate the appetite for 5G, IoT, big data, quantum computing, and other emerging technologies. —Tim Dixon @The Data Center Journal

On the ‘net: The Little Green Lock

Users—particularly those who do not understand technology as well—have long been taught to “look for the green lock in your web browser” to be certain they are communicating with a “trusted” site. For instance, here and here are articles stating that one way you know you can trust a site is by looking for the “green lock.” @Search Networking

Worth Reading: Monitoring BGP Anomalies

While ‘fat-fingers’ and malicious actors are often reported as being responsible for many BGP ‘anomalies’, there are other common sources that network operators should be aware of, including unassigned BGP AS numbers, BGP attribute 21, and broken 4-byte implementation. —Martin Winter @APNIC

Worth Reading: SD-WAN Evolution

One of the questions raised by the onrush of interest in SD-WAN is where SDN is. Obviously, two things whose acronyms start with “software-defined” should be related in some way, and I’ve noted in other blogs that SD-WAN and SDN may converge in the longer term. —Tom Nolle @CIMI

Research; HTTPS Interceptions

I have written elsewhere about the problems with the “little green lock” shown by browsers to indicate a web page (or site) is secure. In that article, I considered the problem of freely available certificates, and a hole in the way browsers load pages. In March of 2017, another paper was published documenting another problem with the “green lock” paradigm—the impact of HTTPS interception. In theory, a successful HTTPS session means the session between host and the server has been encrypted, which means no third party can read the contents of the packets passing between the two.

This works, modulo the trustworthiness of the certificates involved in encrypting the traffic, so long as there is no-one in the middle of the connection encrypting packets from the receiver, and re-encrypting them towards the transmitter. This “man in the middle,” or MITM, can read the contents of all the packets in the exchange, even though the data is encrypted on transmit. Surely such MITM situations are rare, right?

Right.

The researchers in this paper set out to discover just how often HTTPS (LTS) sessions are terminated and re-encrypted by some device or piece of software in the middle. To discover how often Continue reading

Worth Reading: The History of GREP

The original Unix Programmer’s Manual calls grep one of “the more memorable mini-revolutions” that Unix experienced, saying it irrevocably ingrained the “tools” outlook into Unix. —David Cassel @The New Stack

Weekend Reads 072718

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. @Krebs on Security

Open-plan offices have taken off because of a desire to increase interaction and collaboration among workers. But an innovative new study has found that employees in open-plan offices spend 73% less time in face-to-face interactions. Email and messaging use shot up by over 67%. —Libby Sander @Intellectual Takeout

There’s a misconception that everything will benefit from running in the cloud. All workloads are not equal, and not all workloads will see a measurable effect on the bottom line from moving to the cloud. —Jason Baker @Opensource.com

One way or another we’ve been working on various aspects of securing the Internet’s inter-domain routing system for many years. I recall presentations dating back to the late ’90’s that point vaguely to using some form of digital signature on BGP updates that would allow a BGP speaker to assure themselves as to the veracity of a route advertisement. The concept is by no means a new one, and even Continue reading

The Wind Blows

Worth Reading: AI is not a silver bullet for security

If you’re using AI to better detect threats, there’s an attacker out there who had the exact same thought. Where a company is using AI to detect attacks with greater accuracy, an attacker is using AI to develop malware that’s smarter and evolves to avoid detection. —Tomas Honzak @Dark Reading

Networks Without Operators

Worth Reading: The Return of the Single Socket

There are so many ironies in the hardware business that it is amazing that we aren’t covered in rust. One irony is that after decades of socket compression in the datacenter, the time of the single socket server may have returned. —Timothy Prickett Morgan @The Next Platform

Worth Reading: Cloud Wars

The battle for public cloud supremacy is far from over, but it may be taking a new direction. Amazon has announced its Snowball edge appliance, which some characterize as an extension of the early Greengrass technology that let users run AWS elements on premises, meaning at the edge. —Tom Nolle @CIMI

On the ‘net: Simplifying Network Design

For various reasons, humans tend to prefer complex resolutions to simple ones. The combined effect of many humans preferring more complex resolutions over time means large-scale systems tend to accrue complexity, until they fall into a complexity wormhole, becoming wholly incomprehensible. @Search Networking

Worth Reading: Limits in Measuring DNS

In this article I’d like to explore a similar proposition related to the behaviour of the Internet’s Domain Name system. It’s nowhere near as formally stated as Heisenberg’s Uncertainty Principle, and cannot be proved formally, but the assertion is very similar, namely that there is a basic limit to the accuracy of measurements that can be made about the behaviour and properties of the DNS. —Geoff Huston @Potaroo

Worth Reading: Production Networks with White Box

One of the challenges service providers have faced in the last decade is lowering the cost per port or per MB while maintaining the same level of availability and service level. And then add to that the constant pressure from subscribers to increase capacity and meet the rising demand for realtime content. —Kevin Myers @Stubarea51

History of Networking: The RFC Series

On the ‘net: Understanding the Exploit Market

How do attackers find a vulnerability, write a piece of code to take advantage of that vulnerability — i.e., build an exploit — build a software delivery system around the exploit and then deliver the attack itself? The key point to recognize in this process is that no single person undertakes all of this work. @Search Networking

Worth Reading: I can’t stop wasting time

There are so many distractions when you are a freelancer. From kids coming into your home office or time sucks like Facebook, you need to focus and be more efficient. The key is arming yourself with the right tools for the job. —Carrie Cousins @WebDesignerDepot

Worth Reading: Creating a Role for Standards

I think it’s obvious that traditional standards processes are simply not effective in the current age. They take way too long and they end up defining an architecture that has to be ignored if the end product is to be useful. —Tom Nolle @CIMI

Research: Even Password Complexity is a Tradeoff

Stronger passwords are always better—at least this is the working theory of most folks in information technology, security or otherwise. Such blanket rules should raise your suspicions, however; the rule11 maxim if you haven’t found the tradeoff, you haven’t looked hard enough should apply to passwords, too.

Dinei Florêncio, Cormac Herley, and Paul C. Van Oorschot. 2016. Pushing on string: the ‘don’t care’ region of password strength. Commun. ACM 59, 11 (October 2016), 66-74. DOI: https://doi.org/10.1145/2934663

Begin with this simple assertion: complex passwords are primarily a guard against password guessing attacks. Further, while the loss of a single account can be tragic for the individual user (and in some systems, the loss of a single password can have massive consequences!), for the system operator, it is the overall health of the system that matters. There is, in any system, a point at which enough accounts have been compromised that the system itself can no longer secure any information. This not only means the system can no longer hide information, it also means transactions within the system can no longer be trusted.

The number of compromised accounts varies based on the kind of system in view; effectively breaching Continue reading