Archive

Category Archives for "Security"

NSX Growth and Success in 2016

Last week VMware hosted its Q4 2016 earnings call and shared financial results. VMware CEO Pat Gelsinger and the executive team have frequently highlighted VMware NSX growth and success on these calls. For Q4, NSX license bookings grew over 50 percent year-over-year. Annualizing our Q4 total bookings for NSX, it is now at a $1B run rate. With one month into 2017, we’d like to share more on NSX customer success in 2016.

Customer Success

2,400+

Exiting 2016, we shared our latest customer count at more than 2,400, which is almost double the customer count from last year. In Q4 we also had the largest NSX-only deal, more than $10M. For every customer I meet with or hear about from my team, I am continued to be impressed how they choose to go about using NSX. We love to share these success stories, whether we’re talking about all the customers we had speaking at VMworld last year, or the many videos and case studies the team publishes regularly. These stories go into details on the significant NSX wins across multiple verticals and every major geography.

Customer Deployments & Expansion

Success for our team is when customers expand their use of Continue reading

Uber was right to disable surge pricing at JFK

Yesterday, the NYC taxi union had a one-hour strike protesting Trump's "Muslim Ban", refusing to pick up passengers at the JFK airport. Uber responded by disabling surge pricing at the airport. This has widely been interpreted as a bad thing, so the hashtag "#DeleteUber" has been trending, encouraging people to delete their Uber accounts/app.

These people are wrong, obviously so.

Surge Pricing

Uber's "Surge Pricing" isn't price gouging, as many assume. Instead, the additional money goes directly to the drivers, to encourage them come to the area surging and pick up riders. Uber isn't a taxi company. It can't direct drivers to go anywhere. All it can do is provide incentives. "Surge Pricing" for customers means "Surge Income" for the drivers, giving them an incentive. Drivers have a map showing which areas of the city are surging, so they can drive there.

Another way of thinking about it is "Demand Pricing". It's simply the economic Law of Supply and Demand. If demand increases, then prices increase, and then supply increases chasing the higher profits. It's why famously you can't get a taxi cab on New Years Eve, but you can get an Uber driver. Taxi drivers can't charge more Continue reading

Is ‘aqenbpuu’ a bad password?

Press secretary Sean Spicer has twice tweeted a random string, leading people to suspect he's accidentally tweeted his Twitter password. One of these was 'aqenbpuu', which some have described as a "shitty password". Is is actually bad?

No. It's adequate. Not the best, perhaps, but not "shitty".


It depends upon your threat model. The common threats are password reuse and phishing, where the strength doesn't matter. When the strength does matter is when Twitter gets hacked and the password hashes stolen.

Twitter uses the bcrypt password hashing technique, which is designed to be slow. A typical desktop with a GPU can only crack bcrypt passwords at a rate of around 321 hashes-per-second. Doing the math (26 to the power of 8, divided by 321, divided by one day) it will take 20 years for this desktop to crack the password.

That's not a good password. A botnet with thousands of desktops, or a somebody willing to invest thousands of dollars on a supercomputer or cluster like Amazon's, can crack that password in a few days.

But, it's not a bad password, either. A hack of a Twitter account like this would be a minor event. It's not Continue reading

Dispersing a DDoS: Initial thoughts on DDoS protection

Distributed Denial of Service is a big deal—huge pools of Internet of Things (IoT) devices, such as security cameras, are compromised by botnets and being used for large scale DDoS attacks. What are the tools in hand to fend these attacks off? The first misconception is that you can actually fend off a DDoS attack. There is no magical tool you can deploy that will allow you to go to sleep every night thinking, “tonight my network will not be impacted by a DDoS attack.” There are tools and services that deploy various mechanisms that will do the engineering and work for you, but there is no solution for DDoS attacks.

One such reaction tool is spreading the attack. In the network below, the network under attack has six entry points.

Assume the attacker has IoT devices scattered throughout AS65002 which they are using to launch an attack. Due to policies within AS65002, the DDoS attack streams are being forwarded into AS65001, and thence to A and B. It would be easy to shut these two links down, forcing the traffic to disperse across five entries rather than two (B, C, D, E, and F). By splitting the Continue reading

The command-line, for cybersec

On Twitter I made the mistake of asking people about command-line basics for cybersec professionals. A got a lot of useful responses, which I summarize in this long (5k words) post. It’s mostly driven by the tools I use, with a bit of input from the tweets I got in response to my query.

bash

By command-line this document really means bash.

There are many types of command-line shells. Windows has two, 'cmd.exe' and 'PowerShell'. Unix started with the Bourne shell ‘sh’, and there have been many variations of this over the years, ‘csh’, ‘ksh’, ‘zsh’, ‘tcsh’, etc. When GNU rewrote Unix user-mode software independently, they called their shell “Bourne Again Shell” or “bash” (queue "JSON Bourne" shell jokes here).

Bash is the default shell for Linux and macOS. It’s also available on Windows, as part of their special “Windows Subsystem for Linux”. The windows version of ‘bash’ has become my most used shell.

For Linux IoT devices, BusyBox is the most popular shell. It’s easy to clear, as it includes feature-reduced versions of popular commands.


man

‘Man’ is the command you should not run if you want help for a command.

Man pages are designed to drive away Continue reading

Technology Short Take #76

Welcome to Technology Short Take #76, the first Technology Short Take of 2017. Normally, I’d publish this on a Friday, but due to extenuating circumstances (my mother-in-law’s funeral is tomorrow) I’m posting it today. Here’s hoping you find something useful!

Networking

About that Giuliani website…

Rumors are that Trump is making Rudy Giuliani some sort of "cyberczar" in the new administration. Therefore, many in the cybersecurity scanned his website "www.giulianisecurity.com" to see if it was actually secure from hackers. The results have been laughable, with out-of-date software, bad encryption, unnecessary services, and so on.

But here's the deal: it's not his website. He just contracted with some generic web designer to put up a simple page with just some basic content. It's there only because people expect if you have a business, you also have a website.

That website designer in turn contracted some basic VPS hosting service from Verio. It's a service Verio exited around March of 2016, judging by the archived page.

The Verio service promised "security-hardened server software" that they "continually update and patch". According to the security scans, this is a lie, as the software is all woefully out-of-date. According OS fingerprint, the FreeBSD image it uses is 10 years old. The security is exactly what you'd expect from a legacy hosting company that's shut down some old business.

You can probably break into Giuliani's server. I know this because other FreeBSD servers in the same data Continue reading
1 135 136 137 138 139 185