Archive

Category Archives for "Security"

Reflections from the Global Commission on the Stability of Cyberspace

Two weeks ago, a small delegation from the Internet Society was in Delhi for a series of meetings. (See yesterday’s post about GCCS and GFCE.) In this post, I’ll pick up with the Global Commission on the Stability of Cyberspace (GCSC).

The international community has been trying to develop cybernorms for international behaviour for over a decade. This has been happening through UN processes, through the GCCS, through international law discourse, and other fora. And, some progress has been made. For instance, the Tallin manuals provide some insights on how international law applies to cyber war and cyber operations, while the UN GGE, among others, recognized the applicability of international law on the digital space and has provided some protection to cybersecurity incident response teams (CIRTs) and critical infrastructure.

However, these processes are slow, and certainly not without roadblocks. The 5th UN Group of Governmental Experts on Information Security (GGE), for example, failed to reach consensus on whether certain aspects of international law, in particular the right to self-defence, apply to cyberspace as well as issues related to attribution. During a panel at GCCS, five participants in the 5th UN GGE shared their perspectives. To me Continue reading

Reflections on a Global and Cyber heavy week at GCCS and GFCE

Two weeks ago, a small Internet Society delegation was in Delhi to participate in a number of events that contained the word ‘Global’ and ‘Cyber’. In this post, I’ll share some of our perspectives on the first two events – the GCCS and the GFCE.

GCCS – The Global Conference on Cyberspace

The first meeting of the week was the Global Conference on Cyberspace. This was originally a government-initiated conference series and is also commonly known as the London Process.

Part of the strength of these meetings is that they create a trusted environment for governments to discuss global issues that are usually state-centric, such as international aspects of security and stability. Over time, these meetings have opened up to other stakeholders, with the 2015 meeting in The Hague being the most inclusive so far. However, inclusive participation is not a given. Inclusion is important because these types of meetings ultimately are where norms for inter-state behaviour emerge, not necessarily in writing but through the development of a common narrative. But such narratives are only strong and impactful if those who implement and are impacted by those norms have a seat at the table. Although inclusive, multi-stakeholder participation has historically Continue reading

The end of the road for Server: cloudflare-nginx

The end of the road for Server: cloudflare-nginx

Six years ago when I joined Cloudflare the company had a capital F, about 20 employees, and a software stack that was mostly NGINX, PHP and PowerDNS (there was even a little Apache). Today, things are quite different.

The end of the road for Server: cloudflare-nginx CC BY-SA 2.0 image by Randy Merrill

The F got lowercased, there are now more than 500 people and the software stack has changed radically. PowerDNS is gone and has been replaced with our own DNS server, RRDNS, written in Go. The PHP code that used to handle the business logic of dealing with our customers’ HTTP requests is now Lua code, Apache is long gone and new technologies like Railgun, Warp, Argo and Tiered Cache have been added to our ‘edge’ stack.

And yet our servers still identify themselves in HTTP responses with 

Server: cloudflare-nginx

Of course, NGINX is still a part of our stack, but the code that handles HTTP requests goes well beyond the capabilities of NGINX alone. It’s also not hard to imagine a time where the role of NGINX diminishes further. We currently run four instances of NGINX on each edge machine (one for SSL, one for non-SSL, one for caching and one Continue reading

MANRS, Routing Security, and the Brazilian ISP Community

Last week, I presented MANRS to the IX.BR community. My presentation was part of a bigger theme – the launch of an ambitious program in Brazil to make the Internet safer.

While there are many threats to the Internet that must be mitigated, one common point and a challenge for many of them is that the efficacy of the approaches relies on collaboration between independent and sometimes competing parties. And, therefore, finding ways to incentivize and reward such collaboration is at the core of the solutions.

MANRS tries to do that by increasing the transparency of a network operator’s security posture and its commitment to a more secure and resilient Internet. Subsequently, the operator can leverage its increased security posture, signaling it to potential customers and thus differentiating from their competitors.

MANRS also helps build a community of security-minded operators with a common purpose – an important factor that improves accountability, facilitates better peering relationships, and improves coordination in preventing and mitigating incidents.

So, what does the Brazilian ISP community think about routing security and MANRS?

I ran an interactive poll with four questions to provide a more quantitative answer. More than 100 people participated, which makes the results Continue reading

CAA of the Wild: Supporting a New Standard

CAA of the Wild: Supporting a New Standard

One thing we take pride in at Cloudflare is embracing new protocols and standards that help make the Internet faster and safer. Sometimes this means that we’ll launch support for experimental features or standards still under active development, as we did with TLS 1.3. Due to the not-quite-final nature of some of these features, we limit the availability at the onset to only the most ardent users so we can observe how these cutting-edge features behave in the wild. Some of our observations have helped the community propose revisions to the corresponding RFCs.

We began supporting the DNS Certification Authority Authorization (CAA) Resource Record in June behind a beta flag. Our goal in doing so was to see how the presence of these records would affect SSL certificate issuance by publicly-trusted certification authorities. We also wanted to do so in advance of the 8 September 2017 enforcement date for mandatory CAA checking at certificate issuance time, without introducing a new and externally unproven behavior to millions of Cloudflare customers at once. This beta period has provided invaluable insight as to how CAA records have changed and will continue to change the commercial public-key infrastructure (PKI) ecosystem.

As of today, Continue reading

Libertarians are against net neutrality

This post claims to be by a libertarian in support of net neutrality. As a libertarian, I need to debunk this. "Net neutrality" is a case of one-hand clapping, you rarely hear the competing side, and thus, that side may sound attractive. This post is about the other side, from a libertarian point of view.



That post just repeats the common, and wrong, left-wing talking points. I mean, there might be a libertarian case for some broadband regulation, but this isn't it.

This thing they call "net neutrality" is just left-wing politics masquerading as some sort of principle. It's no different than how people claim to be "pro-choice", yet demand forced vaccinations. Or, it's no different than how people claim to believe in "traditional marriage" even while they are on their third "traditional marriage".

Properly defined, "net neutrality" means no discrimination of network traffic. But nobody wants that. A classic example is how most internet connections have faster download speeds than uploads. This discriminates against upload traffic, harming innovation in upload-centric applications like DropBox's cloud backup or BitTorrent's peer-to-peer file transfer. Yet activists never mention this, or other types of network traffic discrimination, because they no more care about "net Continue reading

Make SSL boring again

It may (or may not!) come as surprise, but a few months ago we migrated Cloudflare’s edge SSL connection termination stack to use BoringSSL: Google's crypto and SSL implementation that started as a fork of OpenSSL.

CTO tweet

We dedicated several months of work to make this happen without negative impact on customer traffic. We had a few bumps along the way, and had to overcome some challenges, but we ended up in a better place than we were in a few months ago.

TLS 1.3

We have already blogged extensively about TLS 1.3. Our original TLS 1.3 stack required our main SSL termination software (which was based on OpenSSL) to hand off TCP connections to a separate system based on our fork of Go's crypto/tls standard library, which was specifically developed to only handle TLS 1.3 connections. This proved handy as an experiment that we could roll out to our client base in relative safety.

However, over time, this separate system started to make our lives more complicated: most of our SSL-related business logic needed to be duplicated in the new system, which caused a few subtle bugs to pop up, and made it Continue reading

Come Visit Us at AWS re:Invent!

We’ll be at AWS re:INVENT in Las Vegas all week (Nov 27 – Dec 1, 2017)!

Come say hi to the NSX Team at the VMware booth (#900 right as you walk in the main entrance) in the Expo Hall at the Venetian Hotel.  Stop by our booth to…

  • Check out a quick demo on VMware NSX Cloud
  • Attend a 30-minute in-booth session about VMware NSX Cloud (Thursday, Nov 30 at 11:30am)
  • Grab some swag
  • Play one of our booth games and win a prize – Apple iPhone 8, AWS Credits, Amazon Echo, T-Shirts, and more!
VMware Booth at AWS re:Invent

As always, continue the conversation with us on Twitter @vmwarensx or use the hashtag #RunNSX or #NSXMindset‏. We hope to see you at the show!

The post Come Visit Us at AWS re:Invent! appeared first on Network Virtualization.

Terminology Tuesday Presents: Blockchain

Think of Blockchain as primarily two things.  1) A peer-to-peer technology 2) A way of keeping a public record.

The technological backing of Blockchain is the ability to have many (many) computers host the same information.  Snippets of code (known as blocks) are duplicated and maintained in so many different places rendering fraud impossible.  The fact that each of these blocks is timestamped and unique makes it increasingly challenging to outsmart.  If you’re interested in learning more about the technological specifics there are a number of great resources online including this presentation by Binh Nguyen, IBM’s Blockchain Fabric Chief Architect.

Today, Blockchain is most commonly thought of in connection to Bitcoin as it describes the technology and process that we’ve all come to know as being so secure.  Bitcoin’s past affiliations with illegalities of all sorts have given a bad name to Blockchain but there are many benefits to secure transactions all with a public record as our purchases and currency become increasingly digital.

Want to learn more?  Check out these sources:

 

Terminology Tuesday is a new blog series.  What would you like Continue reading

A Thanksgiving Carol: How Those Smart Engineers at Twitter Screwed Me

Thanksgiving Holiday is a time for family and cheer. Well, a time for family. It's the holiday where we ask our doctor relatives to look at that weird skin growth, and for our geek relatives to fix our computers. This tale is of such computer support, and how the "smart" engineers at Twitter have ruined this for life.

My mom is smart, but not a good computer user. I get my enthusiasm for science and math from my mother, and she has no problem understanding the science of computers. She keeps up when I explain Bitcoin. But she has difficulty using computers. She has this emotional, irrational belief that computers are out to get her.

This makes helping her difficult. Every problem is described in terms of what the computer did to her, not what she did to her computer. It's the computer that needs to be fixed, instead of the user. When I showed her the "haveibeenpwned.com" website (part of my tips for securing computers), it showed her Tumblr password had been hacked. She swore she never created a Tumblr account -- that somebody or something must have done it for her. Except, I was Continue reading
1 110 111 112 113 114 181