Errata Security 2016-04-27 17:48:00
Who's your lawyer. Insights & Wisdom via HBO's Silicon Valley (S.3, E. 1)
The company's attorney may be your friend, but they're not your lawyer. In this guest post, friend of Errata Elizabeth Wharton (@lawyerliz) looks at the common misconception highlighted in this week's Silicon Valley episode.
by Elizabeth Wharton
Amidst the usual startup shenanigans and inside-valley-jokes, HBO's Silicon Valley Season 3, Episode 1 contained a sharp reminder: lawyer loyalty runs with the "client," know whether you are the client. A lawyer hired by a company has an entity as its client, not the individuals or officers of that company. If you want an attorney then hire your own.
Silicon Valley Season 3, Episode 1- Setting the Scene (without too many spoilers, I promise)
Upon learning of a board room ouster from the CEO to the CTO role, the startup company's founder Richard storms into the meeting with two board "friends" in Continue reading
My next scan
So starting next week, running for a week, I plan on scanning for ports 0-65535 (TCP). Each probe will be completely random selection of IP+port. The purpose is to answer the question about the most common open ports.This would take a couple years to scan for all ports, so I'm not going to do that. But, scanning for a week should give me a good statistical sampling of 1% of the total possible combinations.
Specifically, the scan will open a connection and wait a few seconds for a banner. Protocols like FTP, SSH, and VNC reply first with data, before you send requests. Doing this should find such things lurking at odd ports. We know that port 22 is the most common for SSH, but what is the second most common?
Then, if I get no banner in response, I'll send an SSL "Hello" message. We know that port 443 is the most common SSL port, but what is the second most common?
In other words, by waiting for SSH, then sending SSL, I'll find SSH even it's on the (wrong) port of 443, and I'll find SSL even if it's on port 22. And all other ports, too.
Continue reading
TIA’s NFV Security Group Reflects Carriers’ Unease With Open Source
Carriers trust open source - but not too much.
Securing BGP: A Case Study (8)
Throughout the last several months, I’ve been building a set of posts examining securing BGP as a sort of case study around protocol and/or system design. The point of this series of posts isn’t to find a way to secure BGP specifically, but rather to look at the kinds of problems we need to think about when building such a system. The interplay between technical and business requirements are wide and deep. In this post, I’m going to summarize the requirements drawn from the last seven posts in the series.
Don’t try to prove things you can’t. This might feel like a bit of an “anti-requirement,” but the point is still important. In this case, we can’t prove which path along which traffic will flow. We also can’t enforce policies, specifically “don’t transit this AS;” the best we can do is to provide information and letting other operators make a local decision about what to follow and what not to follow. In the larger sense, it’s important to understand what can, and what can’t, be solved, or rather what the practical limits of any solution might be, as close to the beginning of the design phase as possible.
In the Continue reading
Technology Short Take #65
Welcome to Technology Short Take #65! As usual, I gathered an odd collection of links and articles from around the web on key data center technologies and trends. I hope you find something useful!
Networking
- Michael Ryom has a nice (but short) article on using Log Insight along with a NetFlow proxy to help provide more detailed visibility into traffic flows between VMs on NSX logical networks.
- Brent Salisbury has an article on GoBGP, a Go-based BGP implementation. BGP seems to be emerging as an early front-runner for a standards-based control plane for software networking. Couple something like GoBGP with IPVLAN L3 (see Brent’s article) and you’ve got a new model for your data center network.
- Andy Hill has an article on doing rolling F5 upgrades using Ansible.
- Filip Verloy has an article that discusses the integration between Nuage Networks and Fortinet.
- This should probably go in the “Cloud Computing/Cloud Management” section, but the boundaries between areas are getting more and more blurry every day. (Thankfully, due to LASIK my vision is sharper than ever.) In any case, here’s a post by Marcos Hernandex on the use of subnet pools in OpenStack. Although Marcos’ post discusses them Continue reading
A Look Back at One Year of Docker Security
Security is one of the most important topics in the container ecosystem right now, and over the past year, our team and the community have been hard at work adding new security-focused features and improvements to the Docker platform. … ContinuedSimSpace Replicates Massive Cyber Attacks in the Cloud
The startup plays cyber wargames in the public cloud.
Securing BGP: A Case Study (7)
In the last post on this series on securing BGP, I considered a couple of extra questions around business problems that relate to BGP. This time, I want to consider the problem of convergence speed in light of any sort of BGP security system. The next post (to provide something of a road map) should pull all the requirements side together into a single post, so we can begin working through some of the solutions available. Ultimately, as this is a case study, we’re after a set of tradeoffs for each solution, rather than a final decision about which solution to use.
The question we need to consider here is: should the information used to provide validation for BGP be somewhat centralized, or fully distributed? The CAP theorem tells us that there are a range of choices here, with the two extreme cases being—
- A single copy of the database we’re using to provide validation information which is always consistent
- Multiple disconnected copies of the database we’re using to provide validation which is only intermittently consistent
Between these two extremes there are a range of choices (reducing all possibilities to these two extremes is, in fact, a misuse of the Continue reading
IoT Must Learn to Serve the Connected Cow
IoT devices need to get cheaper and battery life to get longer.
Defining “Gray Hat”
WIRED has written an article defining “White Hat”, “Black Hat”, and “Grey Hat”. It’s incomplete and partisan.Black Hats are the bad guys: cybercriminals (like Russian cybercrime gangs), cyberspies (like the Chinese state-sponsored hackers that broke into OPM), or cyberterrorists (ISIS hackers who want to crash the power grid). They may or may not include cybervandals (like some Anonymous activity) that simply defaces websites. Black Hats are those who want to cause damage or profit at the expense of others.
White Hats do the same thing as Black Hats, but are the good guys. The break into networks (as pentesters), but only with permission, when a company/organization hires them to break into their own network. They research the security art, such vulnerabilities, exploits, and viruses. When they find vulnerabilities, they typically work to fix/patch them. (That you frequently have to apply security updates to your computers/devices is primarily due to White Hats). They develop products and tools for use by good guys (even though they sometimes can be used by the bad guys). The movie “Sneakers” refers to a team of White Hat hackers.
Grey Hat is anything that doesn’t fit nicely within these Continue reading
2016 Security Infrastructure Survey is Here!
Take survey and enter to win one of two $200 Amazon Gift Cards.
Securing BGP: A Case Study (6)
In my last post on securing BGP, I said—
The CAP theorem post referenced above is here.
Before I dive into the technical issues, I want to return to the business issues for a moment. In a call this week on the topic of BGP security, someone pointed out that there is no difference between an advertisement in BGP asserting some piece of information (reachability or connectivity, take your pick), and an advertisements outside BGP asserting this same bit of information. The point of the question is this: if I can’t trust you to advertise the right thing in one setting, then why should I trust you to advertise the right thing in another? More specifically, if you’re using Continue reading
Real-Life Software Defined Security @ Troopers 16
The organizers of Troopers 16 conference published the video of my Real-Life Software Defined Security talk. The slides are available on my web site.
Hope you’ll enjoy the talk; for more SDN use cases watch the SDN Use Cases webinar.
No, Internet should be capitalized
The AP Stylebook and others are now declaring that "Internet" should no longer be capitalized, that you should just say "internet" instead. This is wrong, because the Internet is just an internet.Internet is short for internetwork. This was a term developed in the 1970s to describe interconnecting networks together.
There were many internetworks back then. Each major computer manufacturer had its own, incompatible internetworking "protocol". IBM with it's SNA, DEC with it's DECnet, Xerox with XNS, and later Apple with its AppleTalk.
Since it would be nice to interconnect all computers, and not be locked into a single manufacturer, many efforts were taken to standardize internetworking protocols, so that all computers could be placed on the same network. Most people put their support behind GOSIP, the "Government Open Systems Interconnect Profile", a standard created by the biggest corporations and the biggest governments.
However, in 1982, the DoD paid a consulting company to added Xerox's XNS and a research project called "TCP/IP" into an early form of Unix. This form of Unix, called "BSD", was popular among universities. The DoD's goal was to make it easier for researchers who it funded to talk to each other. After this point, universities Continue reading
Technology Short Take #64
Welcome to Technology Short Take #64. Normally, I try to publish Short Takes on Friday, but this past Friday was April Fools’ Day. Given the propensity for “real” information to get lost among all the pranks, I decided to push this article back to today. Unlike most of what is published around April Fools’ Day, hopefully everything here is helpful, informative, and useful!
Networking
- Phil Gervasi has an article on fate sharing in the network core, where he discusses some of the advantages—and disadvantages—of centralizing the control plane in network designs. The examples Phil uses include StackWise, Virtual Switching System, and Virtual Port Channels.
- Alban Crequy has a post on using Linux queueing disciplines (qdiscs, for short) to help with testing application behavior under degraded network conditions. This is really interesting and something that I want to explore in more detail.
- Cumulus Networks has added another hardware partner to its list of supported hardware partners; this time it’s Mellanox, as outlined in this SDx Central article.
- Carlos Cardenas has a great post that does a great job of explaining SAI (Switch Abstraction Interface) and switchdev, two key abstraction layers involved in building Linux-based network operating systems (NOSes). Carlos Continue reading
Some notes on Ubuntu Bash on Windows 10
So the latest news is that you can run Ubuntu and bash on Windows 10. In other words, from the bash command-line, you execute apt-get to get/run any Ubuntu binary -- the same binary that runs on Linux. How do it work?I don't know yet, but browsing around on the Internet suggests that it's a kernel driver in Windows that emulates Linux system calls.
Remember, the operating system is two parts: the kernel and user-space. The interaction between them is ~300 system-calls. Most of these are pretty straight-forward, such as opening a file, reading from the file, and closing the file.
To make a system call, you put the integer number in eax/rax register, fill in the other registers as needed, then calling the SYSENTER instruction.
Each process maintains a table of what the system calls do. In fact, a hacker/debugging/reversing technique is to edit that table in order to hook system calls, do some hackery things, then call the original system call.
That means Microsoft can write a driver, that runs in the kernel, that replaces the system calls for a process, from Windows ones to Linux ones. This driver then needs to emulate the Linux functionality. Continue reading
tl;dr of LambdaConf drama
Short: SJWs dont like person's politics, try to shutdown small programming con due to person being speaker. (from @jcase).Longer: LambdaConf (a tiny conference for LISP-like programming languages) accepted a speaker with objectionable political views, who under a pseudonym spouted Nazi-like propaganda. "Social justice" activists complained. The conference refused to un-invite the speaker, since his talk content was purely technical, not political. Also, because free-speech. Activists then leaned on sponsors, many of whom withdrew their support of the conference. Free-speech activists took up a collection, and replaced the lost money, so that the conference could continue.
Much longer:
LambaConf is just a tiny conference put on by a small number of people. It exists because, in the last few years, there has been a resurgent interest in "functional languages".
The speaker in question is Curtis Yarvin. He has weird views, like wanting to establish a monarchy. Last year, he was censored from a similar conference "Strangeloop" for a similar reason: a technical, non-political talk censored because people couldn't tolerate his politics. The current talk seems to be similar to last one, about his "Urbit" project.
LambdaConf, in the spirit of diversity, stripped the authors names when Continue reading
Automating Security Group and Policy Creation with NSX REST API
As we’ve seen in many of the prior posts, VMware NSX is a powerful platform decoupling networking services from physical infrastructure. NSX effectively enables logical networking and security within a virtualized environment; this brings many of the same benefits we’re familiar with gaining from server virtualization such as flexibility, faster provisioning, better utilization of hardware, cost savings, decreased downtime, etc. One of the major benefits of the software approach that NSX brings is the ability to automate easily via REST API. In this post, we’ll take a look at a simple yet realistic use case focused around security where automation can help. Continue reading
Docker Machine, OpenStack, and SSH Keys
I wanted to provide readers a quick “heads up” about some unexpected behavior regarding Docker Machine and OpenStack. It’s not a huge deal, but it could catch someone off-guard if they aren’t aware of what’s happening.
This post builds on the earlier post I published on using Docker Machine with OpenStack; specifically, the section about using Docker Machine’s native OpenStack driver to provision instances on an OpenStack cloud. As a quick recap, recall that you can provision instances on an OpenStack cloud (and have Docker Engine installed and configured on those instances) with a command like this:
docker-machine create -d openstack
--openstack-flavor-id 3
--openstack-image-name "Ubuntu 14.04.3 LTS x64"
--openstack-net-name lab-net-5
--openstack-floatingip-pool ext-net-5
--openstack-sec-groups docker,basic-services
instance-name
(Note that I didn’t include all of the optional parameters; refer to either my earlier blog post or the Docker Machine OpenStack driver reference for more details).
One of the optional parameters for Docker Machine’s OpenStack driver is the --openstack-keypair-name parameter, which allows you to specify the name of an existing keypair to use with instances created by Docker Machine. If you omit this parameter, as I have above, then Docker Machine will auto-generate a new SSH Continue reading
HyTrust Intel Compliant SDDC Webinar Q&A: Five Key Questions For a Secure & Compliant SDDC
Your questions from the HyTrust Intel webinar on a secure & compliant SDDC are answered here in this Q&A post. Take a peek!