Archive

Category Archives for "Security"

Technology Short Take #74

Welcome to Technology Short Take #74! The end of 2016 is nearly upon us, and it looks as if there will be only one more Technology Short Take before the end of the year. So, let’s get on with the content—time is short!

Networking

  • If you haven’t heard of Apstra, David Varnum has a great introduction to Apstra available on his site.
  • Will Robinson talks about how to structure your Ansible playbooks in the context of using Ansible to control your network gear.
  • This is an interesting project to watch, I think—it’s porting OVN (Open Virtual Network) from a “traditional” OvS back-end to an IOVisor-based back-end (IOVisor implements the data plane in eBPF).
  • If you’re interested in playing around with OVN, I’ve built a Vagrant-based environment running OVS/OVN 2.6.0 on Ubuntu 16.04. Have a look here.

Servers/Hardware

Nothing this time, but I’ll stay alert for content to include in the future.

Security

Orin’s flawed argument on IP address privacy

In the PlayPen cases, judges have ruled that if you use the Tor network, then you don't have a reasonable expectation of privacy. It's a silly demonstration of how the law is out of sync with reality, since the entire point of using Tor is privacy.

Law prof Orin Kerr has a post discussing it. His conclusion is correct, that when the FBI exploits 0day and runs malware on your computer, then it's a search under the Fourth Amendment, requiring a warrant upon probable cause.

However, his reasoning is partly flawed. The title of his piece, "Remotely accessing an IP address inside a target computer is a search", is factually wrong. The IP address in question is not inside a target computer. This may be meaningful.


First, let's discuss how the judge reasons that there's no expectation of privacy with Tor. This is a straightforward application if the Third Party Doctrine, that as soon as you give something to a third party, your privacy rights are lost. Since you give your IP address to Tor, you lose privacy rights over it. You don't have a reasonable expectation of privacy: yes, you have an expectation of privacy, Continue reading

Get all the Docker talks from Tech Field Day 12

Tech Field DayAs 2016 comes to a close, we are excited to have participated in a few of the Tech Field Day and inaugural Cloud Field Day events to share the Docker technology with the IT leaders and evangelists that Stephen Foskett and Tom Hollingsworth have cultivated into this fantastic group.  The final event was Tech Field Day 12 hosting in Silicon Valley.

In case you missed the live stream, check out videos of the sessions here.

Session 1: Introduction to Docker and Docker Datacenter

Session 2: Securing the Software Supply Chain with Docker

Session 3: Docker for Windows Server and Windows Containers

Session 4: Docker for AWS and Azure

Session 5: Docker Networking Fabric

These are great overviews of the Docker technology applied to enterprise app pipelines, operations, and  diverse operating systems and cloud environments. And most importantly, this was a great opportunity to meet some new people and get them excited about what we are excited about.

 

Visit the Tech Field Day site to watch more videos from previous events, read articles written by delegates or view the conversation online.

New #Docker videos from #TFD12 @TechFieldDay w/ @SFoskett @GestaltIT Continue reading

That “Commission on Enhancing Cybersecurity” is absurd

An Obama commission has publish a report on how to "Enhance Cybersecurity". It's promoted as having been written by neutral, bipartisan, technical experts. Instead, it's almost entirely dominated by special interests and the Democrat politics of the outgoing administration.

In this post, I'm going through a random list of some of the 53 "action items" proposed by the documents. I show how they are policy issues, not technical issues. Indeed, much of the time the technical details are warped to conform to special interests.


IoT passwords

The recommendations include such things as Action Item 2.1.4:
Initial best practices should include requirements to mandate that IoT devices be rendered unusable until users first change default usernames and passwords. 
This recommendation for changing default passwords is repeated many times. It comes from the way the Mirai worm exploits devices by using hardcoded/default passwords.

But this is a misunderstanding of how these devices work. Take, for example, the infamous Xiongmai camera. It has user accounts on the web server to control the camera. If the user forgets the password, the camera can be reset to factory defaults by pressing a button on the outside of the camera.

But here's the Continue reading

Traffic Pattern Attacks: A Real Threat

Assume, for a moment, that you have a configuration something like this—

db-key-traffic-attack

Some host, A, is sending queries to, and receiving responses from, a database at C. An observer, B, has access to the packets on the wire, but neither the host nor the server. All the information between the host and the server is encrypted. There is nothing the observer, B, can learn about the information being carried between the client and the server? Given the traffic is encrypted, you might think… “not very much.”

A recent research paper published at CCS ’16 in Vienna argues the observer could know a lot more. In fact, based on just the patterns of traffic between the server and the client, given the database uses atomic operations and encrypts each record separately, it’s possible to infer the key used to query the database (not the cryptographic key). The paper can be found here. Specifically:

We then develop generic reconstruction attacks on any system supporting range queries where either access pattern or communication volume is leaked. These attacks are in a rather weak passive adversarial model, where the untrusted server knows only the underlying query distribution. In particular, to perform our attack Continue reading

Electoral college should ignore Lessig

Reading this exchange between law profs disappoints me. [1] [2] [3] [4] [5]

The decision Bush v Gore cites the same principle as Lessig, that our system is based on "one person one vote". But it uses that argument to explain why votes should not be changed once they are cast:
Having once granted the right to vote on equal terms, the State may not, by later arbitrary and disparate treatment, value one person's vote over that of another.
Lessig cites the principle of "one person one vote", but in a new and novel way. He applies in an arbitrary way that devalues some of the votes that have already been cast. Specifically, he claims that votes cast for state electors should now be re-valued as direct votes for a candidate.

The United States isn't a union of people. It's a union of states. It says so right in the name. Compromises between the power of the states and power of the people have been with us for forever. That's why states get two Senators regardless of size, but Representatives to the House are assigned proportional to population. The Presidential Continue reading

QKD – How Quantum Cryptography Key Distribution Works

How Does Internet Work - We know what is networking

QKD – Quantum key distribution is the magic part of quantum cryptography. Every other part of this new cryptography mechanism remains the same as in standard cryptography techniques currently used. By using quantum particles which behave under rules of quantum mechanics, keys can be generated and distributed to receiver side in completely safe way. Quantum mechanics principle, which describes the base rule protecting the exchange of keys, is Heisenberg’s Uncertainty Principle. Heisenberg’s Uncertainty Principle states that it is impossible to measure both speed and current position of quantum particles at the same time. It furthermore states that the state of observed particle will change if and

QKD – How Quantum Cryptography Key Distribution Works

Is web-scale networking secure? This infographic breaks it down.

At Cumulus Networks, we take a lot of pride in the fact that web-scale networking using Cumulus Linux can have an immense impact on an organization’s ability to scale, automate and even reduce costs. However, we know that efficiency and growth are not the only things our customers care about.

In fact, many of our customers are interested first and foremost in the security of web-scale networking with Cumulus Linux. Many conclude that a web-scale, open environment can be even more secure than a closed proprietary one. Keep reading to learn more or scroll to the bottom to check out our infographic “The network security debate: Web-scale vs. traditional networking”

Here are some of the ways web-scale networking with Cumulus Linux keeps your data center switches secure:

  • Cumulus Linux uses the same standard secure protocols and procedures as a proprietary vendor: For example, Openssh is used by both traditional closed vendors and Cumulus Linux. The standardized MD5 is used for router authentication, and Cumulus supports management VRF.
  • Web-scale networking has more “eyes” on the code with community support: Linux has a large community of developers from different backgrounds and interests supporting the integrity of the code. Since an entire community of Continue reading

No, it’s Matt Novak who is a fucking idiot

I keep seeing this Gizmodo piece entitled “Snowden is a fucking idiot”. I understand the appeal of the piece. The hero worship of Edward Snowden is getting old. But the piece itself is garbage.

The author, Matt Novak, is of the new wave of hard-core leftists intolerant of those who disagree with them. His position is that everyone is an idiot who doesn’t agree with his views: Libertarians, Republicans, moderate voters who chose Trump, and even fellow left-wingers that aren’t as hard-core.

If you carefully read his piece, you’ll see that Novak doesn’t actually prove Snowden is wrong. Novak doesn’t show how Snowden disagrees with facts, but only how Snowden disagrees with the left-wing view of the world. It’s only through deduction that we come to the conclusion: those who aren’t left-wing are idiots, Snowden is not left-wing, therefore Snowden is an idiot.

The question under debate in the piece is:
technology is more important than policy as a way to protect our liberties
In other words, if you don’t want the government spying on you, then focus on using encryption (use Signal) rather than trying to change the laws so they can’t spy on you.

On a Continue reading
1 136 137 138 139 140 182