VMware Eyes Security and Networking for Docker Containers
Enterprises are combining containers and VMs for production environments, backing up VMware's arguments.
Some notes when ordering Google’s Project Fi
I just ordered my "Project Fi" phone. You probably should, too. Here are some notes (especially near the bottom on getting a new phone number).Project Fi is Google's MVNO. An "MVNO" is a virtual mobile phone company -- they don't have any of their own network backbone or cell towers, but just rent them from the real mobile phone companies (like AT&T or T-Mobile). Most mobile phone companies are actually MVNOs, because building a physical network is expensive.
What makes Google's MVNO interesting:
- Straightforward pricing. It's $20 a month for unlimited calling/texting, plus $10 per gigabyte of data used during the month. It includes tethering.
- No roaming charges, in 120 countries. I can fly to Japan, Australia, and France, and still use email, Google maps, texting -- for no extra charge.
The pricing is similar to other phone companies, a little less or a little more depending on exactly what you want. For around 3 gigs a month, Project Fi is cheaper than AT&T, but for 30 gigs, it's more expensive.
There are more and more MVNOs providing easy international roaming (like Ultra.me), and your own phone company is increasingly solving the problem. T-Mobile, for example, Continue reading
There are more and more MVNOs providing easy international roaming (like Ultra.me), and your own phone company is increasingly solving the problem. T-Mobile, for example, Continue reading
CyberUL is a dumb idea
Peiter “mudge” Zatko is leaving Google, asked by the White House to create a sort of a cyber “Underwriter Laboratories” (UL) for the government. UL is the organization that certifies electrical devices, so that they don’t short out and zap you to death. But here’s the thing: a CyberUL is a dumb idea. It’s the Vogon approach to the problem. It imagines that security comes from a moral weakness that could be solved by getting “serious” about the problem.It’s not the hacking problem
According to data-breach reports, 95% of all attacks are simple things, like phishing, SQL injection, and bad passwords – nothing related to software quality. The other 5% is because victims are using old, unpatched software. When exploits are used, it’s overwhelmingly for software that has remained unpatched for a year.
In other words, CyberUL addresses less than 0.1% of real-world attacks.
It’s not the same quality problem
UL is about accidental failures in electronics. CyberUL would be about intentional attacks against software. These are unrelated issues. Stopping accidental failures is a solved problem in many fields. Stopping attacks is something nobody has solved in any field.
In other words, the UL model of accidents is Continue reading
Cisco to Buy Security Firm OpenDNS for $635M
Cisco's security obsession creates an exit for the DNS startup.
Cisco and OpenDNS – The Name Of The Game?
This morning, Cisco announced their intent to acquire OpenDNS, a security-as-a-service (SaaS) provider based around the idea of using Domain Naming Service (DNS) as a method for preventing the spread of malware and other exploits. I’ve used the OpenDNS free offering in the past as a way to offer basic web filtering to schools without funds as well as using OpenDNS at home for speedy name resolution when my local name servers have failed me miserably.
This acquistion is curious to me. It seems to be a line of business that is totally alien to Cisco at this time. There are a couple of interesting opportunities that have arisen from the discussions around it though.
Internet of Things With Names
The first and most obivious synergy with Cisco and OpenDNS is around Internet of Things (IoT) or Internent of Everything (IoE) as Cisco has branded their offering. IoT/IoE has gotten a huge amount of attention from Cisco in the past 18 months as more and more devices come online from thermostats to appliances to light sockets. The number of formerly dumb devices that now have wireless radios and computers to send information is staggering.
All of those devices depend Continue reading
DockerCon 2015 Videos: Day 2 of Docker, Docker, Docker
We posted more videos from DockerCon 2015! Below are the recorded video and slides from the sessions on Day 2 in the Docker, Docker, Docker track at DockerCon 2015. We will publish more videos this week, as soon as we process them. … ContinuedHow to build your own public key infrastructure
A major part of securing a network as geographically diverse as CloudFlare’s is protecting data as it travels between datacenters. Customer data and logs are important to protect but so is all the control data that our applications use to communicate with each other. For example, our application servers need to securely communicate with our new datacenter in Osaka, Japan.
CC BY-SA 2.0 image by kris krüg
Great security architecture requires a defense system with multiple layers of protection. As CloudFlare’s services have grown, the need to secure application-to-application communication has grown with it. As a result, we needed a simple and maintainable way to ensure that all communication between CloudFlare’s internal services stay protected, so we built one based on known and reliable protocols.
Our system of trust is based on a Public Key Infrastructure (PKI) using internally-hosted Certificate Authorities (CAs). In this post we will describe how we built our PKI, how we use it internally, and how to run your own with our open source software. This is a long post with lots of information, grab a coffee!
Protection at the application layer
Most reasonably complex modern web services are not made up of one monolithic Continue reading
Worth Reading: Don’t be so Surprised
The post Worth Reading: Don’t be so Surprised appeared first on 'net work.
Introducing runC: a lightweight universal container runtime
Spinning Out Docker’s Plumbing: Part 1: Introducing runC On Infrastructure Plumbing To build a platform like Docker you need a lot of infrastructure plumbing; in fact over the past two years even though our code base has grown to tens … ContinuedVMware and Docker Deliver Greater Speeds through the Right Controls
This post was co-authored by Guido Appenzeller, CTSO of Networking and Security (@appenz), and Scott Lowe, Engineering 
Architect, Networking and Security Business Unit (@scott_lowe)
In today’s business environment, companies are being asked to go faster than ever before: faster time to market, faster response to customers, faster reactions to market shifts. Having a good idea isn’t enough; companies not only need to have a good idea, but they need get it to market fast, and quickly iterate on improvements to that idea. Speed is a competitive advantage.
The phenomenal success of the open source Docker project is a reflection of the pressure on companies to go faster. Companies across all industries have recognized that successful development teams can be a competitive differentiator. However, developers needed a way to simplify and accelerate the development and deployment of applications and code, and found Docker was one way to help accomplish that. Docker has won a place in the hearts and minds of many developers for its ability to help simplify the development and deployment of many different types of applications.
At the same time, companies face a bewildering array of security threats. Security and compliance remain as important as Continue reading
Google, Zero-Trust Networks, and the Future of Security
by Kevin Dooley, originally published on the Auvik blog Back in January, I blogged about some emerging trends in networking. One of theJust Out: Metro- and Carrier Ethernet Encryptors Market Overview
Christoph Jaggi has just published the third part of his Metro- and Carrier Ethernet Encryptor trilogy: the 2015 market overview. Public versions of all three documents are available for download on his web site:
Packets of Interest (2015-06-19)
It’s been a while since I’ve done a POI so here we go.
The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns
Kaspersky Lab found this new variant of the Duqu malware in their own network. They wrote a paper based on their analysis of this new malware. It fascinates me how sophisticated these software packages are and how much effort the threat actors put into them.
Diffie-Hellman Key Exchange
Diffie-Hellman (DH) is the world’s first public key crypto system. It’s used in everything from secure browsing, to secure shell. This video visually demonstrates how the Diffie-Hellman key exchange works. The best part is that you don’t need to know anything about crypto to follow along.
Passphrases That You Can Memorize – But That Even the NSA Can’t Guess
https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess/
Use this informative guide to generate secure, human-memorizable passphrases that are suitable for protecting your private PGP key, your private SSH key, and your master key for your password safe.
Encrypting Your Laptop Like You Mean It
https://firstlook.org/theintercept/2015/04/27/encrypting-laptop-like-mean/
A well written article about encrypting one’s laptop. Covers topics such as what disk encryption does and does not protect against, attacks against disk encryption, and Continue reading
Startup Radar: Menlo Security Taps Containers To Stop Malware
Startup Menlo Security tackles endpoint malware prevention using containers to proxy Web and email sessions.
Author information
The post Startup Radar: Menlo Security Taps Containers To Stop Malware appeared first on Packet Pushers Podcast and was written by Drew Conry-Murray.
How would you use Lua scripting in a DNS server?
I'm currently putting Lua into a DNS server, and I'm trying to figure out how people would use it.A typical application would be load-balancing. How I would do this is to create a background Lua thread that frequently (many times a second) queried an external resource to discover current server utilitzation, then rewrote the RRset for that server to put the least utilized server first. This would technically change the zone, but wouldn't be handled as such (i.e. wouldn't trigger serial number changes, wouldn't trigger notification of slave zones).
Such a thread could be used for zone backends. Right now, DNS servers support complex backends like SQL servers and LDAP servers. Instead of making the server code complex, this could easily be done with a Lua thread, that regularly scans an SQL/LDAP server for changes and updates the zone in memory with the changes.
Both these examples are updating static information. One possible alternative is to execute a Lua script on each and every DNS query, such as adding a resource record to a zone that would look like this:
*.foo.example.com. TXT $LUA:my_script
Every query would cause the script to be executed. There are some Continue reading
Because dossiers
Here's the thing about computers -- even your laptop can support "big-data" applications. There are only 300-million people in the united states. At 1-kilobyte per person, that's still only 300-gigabytes -- which fits on my laptop hard-drive.Building dossiers is becoming a thing in the hacking underground. Every time they break into a retail chain, hospital, insurance company, or government agency, they correlate everything back to the same dossier, based on such things as social security numbers, credit card numbers, email addresses, and even IP addresses. Beyond hacked secrets, public sources of information are likewise scanned in order to add to the dossier. Tools such as Maltego make it surprisingly easy to combine your own private information with public sources in order to build such dossiers.
When even the small hacking groups are focused on this effort, you can bet the big guys like China and Russia are even more interested in this.
This is one explanation behind the OPM hack. The hackers may have had something specific in mind, such as getting the personal information from SF86 forms where those seeking clearance are forced to disclose their various addictions and perversions. It may be used to blackmail people -- Continue reading
Should I panic because Lastpass was hacked?
Maybe, maybe not. Lastpass uses 100000 iterations in its PBKDF2 algorithm. If you chose a long, non-dictionary password, nobody can crack it. Conversely, if you haven't, then yes, you need to change it.I benchmarked this on my computer using "oclHashcat". It's not an exact match with the Lastpass algorithm, but it's close enough to show the performance.
As you can see, my machine is getting 2577 (two and a half thousand) random password guesses per second. This may sound like a lot, but it's not not, because cracking passwords is exponentially difficult.
Consider normal hashes, not the stronger ones used by Lastpass. My desktop can crack 1 billion of those per second. Consider that a password can be built from UPPER and lower case letters, numbers, and punctuation marks -- or about 64 variations per character.
In this case, a 5 letter password has 1 billion combinations, so a fast computer can guess it in a second. Adding one letter, with it's 64 different possibilities, makes this 64 times harder, meaning it'll take a minute. Another letter (7), and it becomes an hour. Another letter (to 8), and it becomes several days. Another letter (9), and it becomes a Continue reading
How to code: lesson 27
I was reading some code on the Internet today and came across this:
The thing to notice is the hang & symbols in front of the variables, instead of just making things line up. It's a stylistic quirk of the author of this code. It's a good lesson on what not to do.
There is only one important style rule and it is this: make your code look like everyone else's. The question isn't whether it's good or bad, only that it's unusual. Yes, this quick is relatively insignificant, but I point it out is that you should not be tempted, even on the smallest of things.
You see this with the evolution of programmers. In the beginning, their code is quirky as hell. Over time, as they they are exposed to more and more source by others, they start to see how these quirks are irritating, and stop doing them in their own code. The style becomes blander and blander -- but at the same time, the greatness of their construction of the code starts to shine.
When you start writing great code, you'll eventually have to break this rule and do something big and strange. For example, I Continue reading
How we really know the Sunday Times story is bogus
Stories sourced entirely from "anonymous senior government officials" are propaganda, not journalism. The identities of the sources are hidden not to protect them from speaking out against the government, since they are in fact delivering exactly the message the government wants to get out. Instead, their identities are kept secret so that their message cannot be challenged.It's not just me claiming this. Every journalistic organization criticizes the practice. Every set of journalistic ethics guidelines calls this unethical.
Yet, somehow it keeps happening. The latest example is the The Sunday Times, Britains largest newspaper, reporting government officials critical of Snowden. We know the story is bogus, because it quotes solely government official spouting the party line. Moreover, even if that weren't the case, it's obvious propaganda, arguing one side of the story, and not even attempting to get the other point of view from Russia, China, or Snowden himself. Snowden is often quoted in newspapers, he can't be that hard to get a hold of. Not contacting Snowden for his side is also a violation of journalistic ethics.
I point this out because there are lots of good criticisms of the story, for example, pointing out that the correct term Continue reading
Global Collateral Damage of TMnet leak
The Washington Post recently published a great piece about the development and current weaknesses of the Border Gateway Protocol (BGP, which is used to route all Internet traffic). This morning Telekom Malaysia (a.k.a TMnet) helped to illustrate the points made in the article by leaking almost half of the global routing table via Level 3 at 08:44 UTC.
Some of the most affected companies were those peering with Telekom Malaysia. The following graphics illustrate the impact to routes from Amazon and Cloudflare.
 |
 |
Google’s extensive peering likely insulated it from some of the effects of having its routes leaked. However, it didn’t escape the incident completely unscathed. Here is an example of a normal traceroute to Google’s data center in Council Bluffs, Iowa from Prague, which goes via Frankfurt and London before crossing the Atlantic Ocean.
trace from Prague to Google, Council Bluffs, IA at 02:45 Jun 11, 2015
1 *
2 212.162.8.253 ge-6-14.car2.Prague1.Level3.net 16.583
3 4.69.154.135 ae-3-80.edge3.Frankfurt1.Level3.net 22.934
4 4.68.70.186 Level 3 (Frankfurt, DE) 23.101
5 209.85.241.110 Google (Frankfurt, DE) 23.796
6 209.85.250.143 Google (Frankfurt, DE) 24.086
7 72.14.235.17 Google (London, GB) 32.709
8 209.85.247.145 Google (New York City) 103.091
9 216.239.46.217 Google (Council Bluffs) 133.098
10 209.85.250.4 Google (Council Bluffs) 133.245
11 216.239.43.217 Google (Council Bluffs) 133. Continue reading