Expanding the DNS Root: Hyperlocal vs NSEC Caching

The root zone of the DNS has been the focal point of many DNS conversations for decades. One set of conversations, which is a major preoccupation of ICANN meetings, concerns what labels are contained in the root zone. A separate set of conversations concern how this root zone is served in the context of the DNS resolution protocol. In this article I'd like to look at the second topic, and, in particular, look at two proposals to augment the way the root zone is served to the DNS.

Summary of Authentication Methods in Red Hat Ansible Tower

Ansible-Blog-Tower-Authentication-Overview-Screen

Red Hat Ansible Tower 3.4.0 has added token authentication as a new method for authentication so I wanted to use this post to summarize the numerous enterprise authentication methods and the best use case for each. Ansible Tower is designed for organizations to centralize and control their automation with a visual dashboard for out-of-the box control while providing a REST API to integrate with your other tooling on a deeper level. We support a number of authentication methods to make it easy to embed Ansible Tower into existing tools and processes to help ensure the right people can access Ansible Tower resources. For this blog post I will go over four of Ansible Tower’s authentication methods: Session, Basic, OAuth2 Token, and Single Sign-on (SSO). For each method I will provide some quick examples and links to the relevant supporting documentation, so you can easily integrate Ansible Tower into your environment.

1. Session Authentication

Session authentication is what’s used when logging in directly to Ansible Tower’s API or UI. It is used when a user wants to remain logged in for a prolonged period of time, not just for that HTTP request, i.e. when browsing the UI or Continue reading

Practical Simplification

Simplification is a constant theme not only here, and in my talks, but across the network engineering world right now. But what does this mean practically? Looking at a complex network, how do you begin simplifying?

The first option is to abstract, abstract again, and abstract some more. But before diving into deep abstraction, remember that abstraction is both a good and bad thing. Abstraction can reduce the amount of state in a network, and reduce the speed at which that state changes. Abstraction can cover a multitude of sins in the legacy part of the network, but abstractions also leak!!! In fact, all nontrivial abstractions leak. Following this logic through: all non-trivial abstractions leak; the more non-trivial the abstraction, the more it will leak; the more complexity an abstraction is covering, the less trivial the abstraction will be. Hence: the more complexity you are covering with an abstraction, the more it will leak.

Abstraction, then, is only one part of the solution. You must not only abstract, but you must also simplify the underlying bits of the system you are covering with the abstraction. This is a point we often miss.

Which returns us to our original question. The Continue reading

10 Years of Auditing Online Trust – What’s Changed?

Last week we released the 10th Online Trust Audit & Honor Roll, which is a comprehensive evaluation of an organization’s consumer protection, data security, and privacy practices. If you want to learn more about this year’s results, please join us for our webinar on Wednesday, 24 April, at 1PM EDT / 5PM UTC. Today, though, we thought it would be interesting to see how the Audit and results have evolved over time. Here are some quick highlights over the years:

  • 2005 – The Online Trust Alliance issued “scorecards” tracking adoption of email authentication (SPF) in Fortune 500 companies.
  • 2008 – Added DKIM tracking to the scorecards, and extended the sectors to include the US federal government, banks, and Internet retailers.
  • 2009 – Shifted from scorecard to “Audit” because criteria were expanded to include Extended Validation (EV) certificates and elements of site security (e.g., website malware).
  • 2010 – Introduced the Honor Roll concept, highlighting organizations following best practices. Only 8% made the Honor Roll.
  • 2012 – Expanded criteria to include DMARC, Qualys SSL Labs website assessment, and scoring of privacy statements and trackers. Shifted overall sector focus to consumer-facing organizations, so dropped the Fortune 500 and added Continue reading

Network Break 231: CloudGenix Loads Up On VC Cash For SD-WAN Fight; Apple Settles With Qualcomm

Today's Network Break examines a $65 million investment in CloudGenix and what it says about the SD-WAN market, a new cloud-based packet processor from Nubeva, why Apple settled with Qualcomm just before trial, and more tech news.

The post Network Break 231: CloudGenix Loads Up On VC Cash For SD-WAN Fight; Apple Settles With Qualcomm appeared first on Packet Pushers.

The Week in Internet News: Arkansas Reverses Ban on Municipal Broadband

Change in direction: A story at CityLab.com examines why the state of Arkansas has moved to rescind a 2011 ban on community-financed broadband networks. The state is the least connected in the U.S., according to one group, and residents have complained about “lousy” broadband options.

White and male: The Artificial Intelligence too white and too male, according to research from the AI Now Institute at New York University. About 80 percent of AI professors are men, and just 15 percent of the AI research staff at Facebook and 10 percent at Google are women, notes a story on the research at The Verge. Racial minorities also make up a small percentage of AI staff at large tech vendors.

Comey vs. encryption: Former U.S. FBI Director James Comey, who pushed for ways for law enforcement agencies to break into encrypted devices while he was in government, now says he would have taken a different approach to the encryption debate, the Washington Post reports. Comey says it was “dumb” to launch the encryption debate by criticizing U.S. tech companies. However, he still believes law enforcement agencies need access to encrypted communications.

Censorship vs. disinformation: The Ukraine government Continue reading

How and where to use serverless computing

Is your organization ready to go serverless? The trend toward serverless computing is clearly on the rise, but that doesn’t mean it works ideally for every scenario or organization.Serverless computing is a software architecture model in which a cloud service provider runs the server for a customer and dynamically manages the allocation of computing resources. The term “serverless” is a misnomer, in the sense that servers are still involved in the process. Learn more about serverless computingTo read this article in full, please click here

How and where to use serverless computing

Is your organization ready to go serverless? The trend toward serverless computing is clearly on the rise, but that doesn’t mean it works ideally for every scenario or organization.Serverless computing is a software architecture model in which a cloud service provider runs the server for a customer and dynamically manages the allocation of computing resources. The term “serverless” is a misnomer, in the sense that servers are still involved in the process. Learn more about serverless computingTo read this article in full, please click here

End of term

We’ve reached the end of term again on The Morning Paper, and I’ll be taking a two week break. The Morning Paper will resume on Tuesday 7th May (since Monday 6th is a public holiday in the UK).

My end of term tradition is to highlight a few of the papers from the term that I especially enjoyed, but this time around I want to let one work stand alone:

You might also enjoy “The Mess We’re In,” and Joe’s seven deadly sins of programming:

  1. Code even you cannot understand a week after you wrote it – no comments
  2. Code with no specifications
  3. Code that is shipped as soon as it runs and before it is beautiful
  4. Code with added features
  5. Code that is very very fast very very very obscure and incorrect
  6. Code that is not beautiful
  7. Code that you wrote without understanding the problem

We’re in an even bigger mess without you Joe. Thank you for everything. RIP.

Programming languages infosec professionals should learn

Code is an essential skill of the infosec professional, but there are so many languages to choose from. What language should you learn? As a heavy coder, I thought I'd answer that question, or at least give some perspective.

The tl;dr is JavaScript. Whatever other language you learn, you'll also need to learn JavaScript. It's the language of browsers, Word macros, JSON, NodeJS server side, scripting on the command-line, and Electron apps. You'll also need to a bit of bash and/or PowerShell scripting skills, or SQL for queries. Other languages are important as well, Python is very popular for example. Actively avoid C++ and PHP as they are obsolete.

Also tl;dr: whatever language you decide to learn, also learn how to use an IDE with visual debugging, rather than just a text editor. That problems means Visual Code from Microsoft.

Let's talk in general terms. Here are some types of languages.

  • Unavoidable. As mentioned above, familiarity with JavaScript, bash/Powershell, and SQL are unavoidable. If you are avoiding them, you are doing something wrong.
  • Small scripts. You need to learn at least one language for writing quick-and-dirty command-line scripts to automate tasks or process data. As a tool using animal, this Continue reading

Was it a Chinese spy or confused tourist?

Politico has an article from a former spy analyzing whether the "spy" they caught at Mar-a-lago (Trump's Florida vacation spot) was actually a "spy". I thought I'd add to it from a technical perspective about her malware, USB drives, phones, cash, and so on.

The part that has gotten the most press is that she had a USB drive with evil malware. We've belittled the Secret Service agents who infected themselves, and we've used this as the most important reason to suspect she was a spy.

But it's nonsense.

It could be something significant, but we can't know that based on the details that have been reported. What the Secret Service reported was that it "started installing software". That's a symptom of a USB device installing drivers, not malware. Common USB devices, such as WiFi adapters, Bluetooth adapters, microSD readers, and 2FA keys look identical to flash drives, and when inserted into a computer, cause Windows to install drivers.

Visual "installing files" is not a symptom of malware. When malware does its job right, there are no symptoms. It installs invisibly in the background. Thats the entire point of malware, that you don't know it's there. It's not to say Continue reading
1 1,209 1,210 1,211 1,212 1,213 3,796