Archive

Category Archives for "Security"

In which I have to debunk a second time

So Slate is doubling-down on their discredited story of a secret Trump server. Tip for journalists: if you are going to argue against an expert debunking your story, try to contact that expert first, so they don't have to do what I'm going to do here, showing obvious flaws. Also, pay attention to the data.


The experts didn't find anything

The story claims:
"I spoke with many DNS experts. They found the evidence strongly suggestive of a relationship between the Trump Organization and the bank".
No, he didn't. He gave experts limited information and asked them whether it's consistent with a conspiracy theory. He didn't ask if it was "suggestive" of the conspiracy theory, or that this was the best theory that fit the data.

This is why "experts" quoted in the press need to go through "media training", to avoid getting your reputation harmed by bad journalists who try their best to put words in your mouth. You'll be trained to recognize bad journalists like this, and how not to get sucked into their fabrications.


Jean Camp isn't an expert

On the other hand, Jean Camp isn't an expert. I've never heard of her before. She gets details wrong. Continue reading

Setting Sail on Secret Seas with Trireme

trireme-b

Container networking is a tough challenge to solve. The evolving needs of creating virtual networks to allow inter-container communications is difficult. But ensuring security at the same time is enough to make you pull your hair out. Lots of companies are taking a crack at it as has been demonstrated recently by microsegmentation offerings from Cisco, VMware NSX, and many others. But a new development on this front set sail today. And the captain is an old friend.

Sailing the Security Sea

Dimitri Stiladis did some great things in his time at Nuage Networks. He created a great overlay network solution that not only worked well for software defined systems but also extended into the container world as more and more people started investigating containers as the new way to provide application services. He saw many people rushing into this area with their existing solutions as well as building new solutions. However, those solutions were all based on existing technology and methods that didn’t work well in the container world. If you ever heard someone say, “Oh, containers are just lightweight VMs…” you know what kind of thinking I’m talking about.

Late last year, Dimitri got together with some of Continue reading

Cryptography

How Does Internet Work - We know what is networking

If you want to send or store data and be sure it is safe from being intercepted, you will use Cryptography. Cryptography uses chipper as mathematical virtual lock to make data scrambled so that is not understandable if intercepted by unauthorized third parties. There are different cryptography techniques, some of them are: encryption, hashing, and steganography. Cryptography can be differentiated by usage of different key types: Symmetric Key Encryption Asymmetric Key Encryption Symmetric Key Encryption is sometimes known as Secret Key Cryptography. Main characteristic of this type of cryptography is the same key usage in encryption and decryption of transferred

Cryptography

Debunking Trump’s “secret server”

According to this Slate article, Trump has a secret server for communicating with Russia. Even Hillary has piled onto this story.

This is nonsense. The evidence available on the Internet is that Trump neither (directly) controls the domain "trump-email.com", nor has access to the server. Instead, the domain was setup and controlled by Cendyn, a company that does marketing/promotions for hotels, including many of Trump's hotels. Cendyn outsources the email portions of its campaigns to a company called Listrak, which actually owns/operates the physical server in a data center in Philidelphia.


In other words,  Trump's response is (minus the political bits) likely true, supported by the evidence. It's the conclusion I came to even before seeing the response.

When you view this "secret" server in context, surrounded by the other email servers operated by Listrak on behalf of Cendyn, it becomes more obvious what's going on. In the same Internet address range of Trump's servers you see a bunch of similar servers, many named [client]-email.com. In other words, trump-email. Continue reading

GRE over IPSec Tunnel and NAT Between Cisco and VyOS

The goal of this tutorial is to provide a configuration for Cisco and VyOS network devices with configured PAT (Port Address Translation) that connect two remote sides A and B through point-to-point GRE tunnel encapsulated into a IPsec tunnel. In a previous tutorial we proved that GRE tunnels in conjunction with IPsec tunnels transmit multicast traffic while data integrity, authentication and confidentiality was in place. I also provided a simple configuration of GRE, IPsec tunnel and OSPF routing protocol on the Cisco and VyOS routers. In this tutorial I will go further and provide full configuration of  the all network devices including PAT and access-lists.  picture1_network_infrastructure

Picture 1 - Network Topology

Topology Description - Side A

Each side has a Layer 2 Cisco switch located in a LAN network. A switch connects hosts to its switchports. Each switchport is assigned to a particular VLAN. For instance, a host PC1 is connected to the switch SW1 and the switchport is assigned to a VLAN 100. Hosts in VLAN 100 (subnet 192.168.1.0/24) have guaranteed access to a remote subnet 192.168.2.0/24 via GRE/IPsec tunnel. A NAT access-list configured on a router R1 ensures that IP address of the host in VLAN 100 is not translated by PAT when a destination address is Continue reading

Configuring Raspberry Pi as a router

I'm setting up a little test network for IoT devices, one isolated a bit from my home network. This is a perfect job for a computer like the Raspberry Pi (or similar computers, such as the Odroid-C2, which is what I'm actually using here). I thought I'd blog the setup details in case anybody else wanted to setup their own isolated home network.

Choice of hardware

The Raspberry Pi B v3 is a fine choice, but there are many alternatives. I'm using the Odroid C2 instead. It's nearly the same, but the chief difference for my purposes is that the Ethernet adapter is native. On the RPi, the Ethernet adapter is actually connected via USB. Network utilities don't like USB Ethernet as much.

The choice of hardware dictates the operating system. Download the latest version of Ubuntu for the Odroid C2. They keep moving around where to get it, but you can google "odroid c2 downloads" to find it. My version is Ubuntu MATE 16.04 LTS.


Your home network

Your home network likely uses the addresses 192.168.1.xxx. This is also the range that most of the devices I'm testing will use as their initial defaults. Therefore, Continue reading

Reaction: DevOps and Security

Over at TechBeacon, my friend Chris Romeo has an article up about DevOps and security. It’s interesting to me because this is actually an area I’d never thought about before, even though it makes sense. Given DevOps is essentially writing software to control infrastructure (like routers, compute, and storage), and software needs to be written in a way that is secure, then it should be obvious that DevOps software should be developed with good security principles gleaned from software development as part of the foundation.

And here we face a challenge, as Chris says—

There is no standard that defines security for DevOps, and the chances of a standard ever developing is small because different organizations are doing things their own way, and can’t even agree on a standard name. And while there is a standard for the secure development lifecycle (ISO/IEC 27034-1), few organizations are ever validated against it.

The key point in here is that every organization is doing things their own way. This isn’t wrong, of course, because every organization must have some “snowflakiness” to justify its existence, and that “snowflakiness” is often likely to show up, in a large way, in something like handling resources within Continue reading

Lamers: the problem with bounties

In my last two posts, I pointed out that the anti-spam technique known as "DKIM" cryptographically verifies emails. This can be used to verify that some of the newsworthy emails are, indeed, correct and haven't been doctored. I offer a 1 btc (one bitcoin, around ~$600 at current exchange rates) bounty if anybody can challenge this assertion.

Unfortunately, bounties attract lamers who think they deserve the bounty. 


This guy insists he wins the bounty because he can add spaces to the email, and add fields like "Cc:" that DKIM doesn't check. Since DKIM ignores extra spaces and only checks important fields, these changes pass. The guy claims it's "doctored" because technically, he has changed things, even though he hasn't actually changed any of the important things (From, Date, Subject, and body content).

No. This doesn't qualify for the bounty. It doesn't call into question whether the Wikileaks emails say what they appear to say. It's so obvious that people have already contacted me and passed on it, Continue reading
1 134 135 136 137 138 178